Selecting Certificates
To configure the VPN to support machine authentication using certificates, define the IKE Server certificates for
VPN clients using IKEv2. Note that these certificate must be imported into the switch, as described in
Management Access on page 833.
1. Select the IKEv2 server certificate for client machines using IKEv2 by clicking the IKEv2 Server Certificate
drop-down list and selecting an available certificate name.
2. If you are configuring a VPN to support IKEv2 clients using certificates, you must also assign one or more
trusted CA certificates to VPN clients.
a. Under CA Certificate Assigned for VPN-clients, click Add.
b. Select a CA certificate from the drop-down list of CA certificates imported in the switch.
c. Click Done.
d. Repeat the above steps to add additional CA certificates.
Configuring IKE Policies
AOS-W contains several predefined default IKE policies, as described in Table 85. If you do not want to use any
of these predefined policies, you can use the procedures below to delete a factory-default policy, edit an
existing policy, or create your own custom IKE policy instead.
The IKE policy selections must be reflected in the VPN client configuration. When using a third-party VPN client, set
the VPN configuration on clients to match the choices made above. In case the Alcatel-Lucent dialer is used, these
configurations must be made on the dialer prior to downloading the dialer onto the local client.
1. Scroll down to the IKE Policies section of the IPSEC tab, then click Edit to edit an existing policy or click Add
to create a new policy.
You can also delete a predefined factory-default IKE policy by clicking Delete.
2. Enter a number into the Priority field to set the priority for this policy. Enter a priority of 1 for the
configuration to take priority over the Default setting.
3. Select the IKE version. Click the Version drop-down list and select V2 for IKEv2.
4. Set the Encryption type. Click the Encryption drop-down list and select one of the following encryption
types:
n DES
n 3DES
n AES128
n AES192
n AES256
5. Set the HASH function. Click the Hash drop-down list and select one of the following hash types:
n MD5
n SHA
n SHA1-96
n SHA2-256-128
n SHA2-384-192
6. AOS-W VPNs support IKEv2 client authentication using RSA digital certificates or Elliptic Curve Digital
Signature Algorithm (ECDSA) certificates. To set the authentication type for the IKE rule, click the
Authentication drop-down list and select one of the following types:
n RSA
n ECDSA-256
AOS-W 6.5.3.x | User Guide Virtual Private Networks | 358
To Next Page
Loading...