365| Virtual Private Networks AOS-W 6.5.3.x| User Guide
b. Specify the pool name, start address, and end address.
c. Click Done.
7. Click Apply to apply the changes before navigating to other pages.
In the CLI
(host)(config) #vpdn group pptp
enable
client configuration {dns|wins} <ipaddr1> [<ipaddr2>]
ppp authentication {mschapv2}
(h
ost
)(c
onfi
g)
#p
ptp
ip
lo
cal
pool
<poo
l>
<st
art
-ip
add
r>
<en
d-i
pad
dr>
Working with Site-to-Site VPNs
Site-to-site VPNs allow sites in different locations to securely communicate with each other over a Layer-3
network such as the Internet. You can use Alcatel-Lucent switches instead of VPN concentrators to connect the
sites. You can also use a VPN concentrator at one site and a switch at the other site.
The Alcatel-Lucent switch supports the following IKE SA authentication methods for site-to-site VPNs:
n Preshared key: Note that the same IKE shared secret must be configured on both the local and remote
sites.
n Suite-B cryptographic algorithms
n Digital certificates: You can configure an RSA or ECDSA server certificate and a CA certificate for each site-
to-site VPN IPsec map configuration. If you use certificate-based authentication, the peer must be identified
by its certificate subject name, distinguished name (for deployments using IKEv2), or by the peer’s IP
address (for IKEv1). For more information about importing server and CA certificates into the switch, see
Management Access on page 833.
Certificate-based authentication is only supported for site-to-site VPN between two switches with static IP addresses.
IKEv1 site-to-site tunnels cannot be created between master and local switches.
Enable IPcompression in an IPsec map to reduce the size of data frames transmitted over a site-to-site VPN
between OAW-4x50 Series or OAW-40xx Series switches using IKEv2 authentication. IPcompression can
reduce the time required to transmit the frame across the network. When this hardware-based compression
feature is enabled, the quality of unencrypted traffic (such as Lync or Voice traffic) is not compromised by
increased latency or decreased throughput. IP compression is disabled by default.
This feature is only supported in an IPv4 network using IKEv2. This feature cannot be enabled on a OAW-4450 switch
or on a site-to-site VPN established using IKEv1.
Working with Third-Party Devices
Alcatel-Lucent switches can use IKEv1 or IKEv2 to establish a site-to-site VPN with another Alcatel-Lucent switch
or third-party remote client devices. Devices running Microsoft
®
Windows 2008 can use Suite-B cryptographic
algorithms and IKEv1 to support authentication using RSA or ECDSA. StrongSwan
®
4.3 devices can use IKEv2
to support authentication using RSA or ECDSA certificates, Suite-B cryptographic algorithms, and pre-shared
keys. These two remote clients are tested to work with Alcatel-Lucent switches using Suite-B cryptographic
algorithm.
Working with Site-to-Site VPNs with Dynamic IP Addresses
AOS-W supports site-to-site VPNs with two statically addressed switches, or with one static and one
dynamically addressed switch. Two methods are supported to enable dynamically addressed peers:
To Next Page
Loading...