Alcatel-Lucent AOS-W 6.5.3.x

To Next Page

To Previous Page

n Group 19: 256-bit random Diffie–Hellman ECP modulus group.

n Group 20: 384-bit random Diffie–Hellman ECP modulus group.

6. Select the transform set for the map to define a specific encryption and authentication type used by the

dynamic peer. Click the Transform Set drop-down list, and select the transform set for the dynamic peer.

To view current configuration settings for an IPsec transform-set, access the command-line interface and issue the

command crypto ipsec transform-set tag <transform-set-name>.

7. Set the Life Time to define the lifetime of the security association for the dynamic peer in seconds or

kilobytes. The default value is 7200 seconds. To change this value, uncheck the default checkbox and enter

a value between 300 and 86400 seconds or 1000 and 1000000000 kilobytes.

8. Click Done.

Finalizing WebUI changes

When you have finished configuring your IPsec VPN settings, click Apply to apply the new settings before

navigating to other pages.

Configuring an L2TP VPN with IKEv2 in the CLI

Use the following procedures in the CLI to configure a remote access VPN for L2TP IPsec using IKEv2:

1. Define the server addresses:

(host)(config) #vpdn group l2tp

enable

client configuration {dns|wins} <ipaddr1> [<ipaddr2>]

2. Enable authentication methods for IKEv2 clients:

(host)(config) #crypto isakmp eap-passthrough {eap-mschapv2|eap-peap|eap-tls}

3. Create address pools:

(host)(config) #ip local pool <pool> <start-ipaddr> <end-ipaddr>

4. Configure source NAT:

(host)(config) #ip access-list session srcnat user any any src-nat pool <pool> position 1

5. If you are configuring a VPN to support machine authentication using certificates, define server certificates

for VPN clients using IKEv2:

(host)(config) #crypto-local isakmp server-certificate <cert>

The IKE pre-shared key value must be between 6-64 characters. To configure a pre-shared IKE key that contains non-

alphanumeric characters, surround the key with quotation marks.

For example: crypto-local isakmp key "key with spaces" fqdn-any.

6. Define IKEv2 Policies:

(host)(config) #crypto isakmp policy <priority>

encryption {3des|aes128|aes192|aes256|des}

version v2

authentication {pre-share|rsa-sig|ecdsa-256ecdsa-384}

group {1|2|19|20}

hash {md5|sha|sha1-96|sha2-256-128|sha2-384-192}

prf PRF-HMAC-MD5|PRF-HMAC-SHA1|PRF-HMAC-SHA256|PRF-HMAC-SHA384

lifetime <seconds>

7. Define IPsec Tunnel parameters:

(host)(config) #crypto ipsec

mtu <max-mtu>

AOS-W 6.5.3.x | User Guide Virtual Private Networks | 360

Alcatel-Lucent AOS-W 6.5.3.x - Page 360