Alcatel-Lucent AOS-W 6.5.3.x

To Next Page

To Previous Page

347| Virtual Private Networks AOS-W 6.5.3.x| User Guide

You then specify the default user role and authentication server group in the VPN authentication default

profile, as described in the sections below.

ESP Tunnel Mode is the only supported IPsec mode of operation. AOS-W does not support AH and Transport modes.

Selecting an IKE protocol

Switches running AOS-W version 6.1 and later support both IKEv1 and the newer IKEv2 protocol to establish

IPsec tunnels. Though both IKEv1 and IKEv2 support the same suite-B cryptographic algorithms, IKEv2 is a

simpler, faster, and more reliable protocol than IKEv1.

If your IKE policy uses IKEv2, you should be aware of the following caveats when you configure your VPN:

n AOS-W does not support separate pre-shared keys for both directions of an exchange; both peers must use

the same pre-shared key. AOS-W does not support mixed authentication with both pre-shared keys and

certificates; each authentication exchange requires a single authentication type. For example, if a client

authenticates with a pre-shared key, the switch must also authenticate with a pre-shared key.

n AOS-W does not support IKEv2 Authentication Headers (AH) or IP Payload Compression Protocol (IPComp).

n Starting from AOS-W 6.5, AOS-W supports the functionality where the non-Aruba devices can fragment the

large IKE_AUTH packets using the standards described in the RFC 7383 – Internet Key Exchange Protocol

Version 2 (IKEv2) message fragmentation when the Aruba device acts as a responder and not as an initiator.

Understanding Suite-B Encryption Licensing

Alcatel-Lucent switches support Suite-B cryptographic algorithms when the Advanced Cryptography (ACR)

license is installed. Table 80 describes the Suite-B algorithms supported by AOS-W IKE Policies and IPsec

tunnels. For further details on configuring a VPN to use Suite-B algorithms, see Configuring a VPN for

L2TP/IPsec with IKEv2 on page 356.

IKE Policies Suite-B for IPsec tunnels

hash: SHA-256-128, SHA-384-192 Encryption: AES-128-GCM, AES-256-GCM

Diffie-Hellman (DH) Groups: ECP-256, ECP-384 Perfect Forward Secrecy (PFS): ECP-256, ECP-

384

Pseudo-Random Function (PRF): HMAC_SHA_256, HMAC_

SHA_384

—

Suite-B certificates: ECDSA-256, ECDSA-384 —

Table 80: Suite-B Algorithms Supported by the ACR License

The AOS-W hardware supports IKE Suite-B AES-128-GCM and AES-256-GCM encryption. AOS-W software performs

the IKE Suite-B Diffie-Hellman and Certificate-based signature operations, and hash, PFS, and PRF algorithm

functions.

The following VPN clients support Suite-B algorithms when establishing an L2TP/IPsec VPN:

Alcatel-Lucent AOS-W 6.5.3.x - Page 347