Alcatel-Lucent AOS-W 6.5.3.x

To Next Page

To Previous Page

n Pre-shared Key Authentication with IKE Aggressive Mode: The Alcatel-Lucent switch with a dynamic

IP address must be configured as the initiator of IKE Aggressive-mode for Site-Site VPNs, while the switch

with a static IP address must be configured as the responder of IKE Aggressive mode. Note that when the

switch is operating in FIPS mode, IKE aggressive mode must be disabled.

n X.509 certificates: IPsec peers will identify each other using the subject name of X.509 certificates. IKE

operates in main mode when this option is selected. This method is preferred from a security standpoint.

Understanding VPN Topologies

You must configure VPN settings on the switches at both the local and remote sites. In the following figure, a

VPN tunnel connects Network A to Network B across the Internet.

Figure 51 Site-to-Site VPN Configuration Components

To configure the VPN tunnel on switch A, you must configure the following:

n The source network (Network A)

n The destination network (Network B)

n The VLAN on which switch A’s interface to the Layer-3 network is located (Interface A in Figure 51)

n The peer gateway, which is the IP address of switch B’s interface to the Layer-3 network (Interface B in

Figure 51)

Configure VPN settings on the switches at both the local and remote sites.

Configuring Site-to-Site VPNs

Use the following procedures to create a site-to-site VPN through the WebUI or CLI.

In the WebUI

1. Navigate to the Configuration > Advanced Services > VPN Services > Site-to-Site page.

2. In the IPsec Maps section, click Add to open the Add IPsec Map window.

3. Enter a name for this VPN connection in the Name field.

4. In the Priority field, enter a priority level for the IPsec map. Negotiation requests for security associations

try to match the highest-priority map first. If that map does not match, the negotiation request continues

down the list to the next-highest priority map until a match is made.

5. Select a Source Network Type to specify whether the VPN source, the local network connected to the

switch, is defined by an IP address or a VLAN ID.

n If you selected IP, enter the IP address and netmask for the source network. (See switch A in Figure 51)

n If you selected VLAN, click the Source Network VLAN drop-down list and select the VLANID for the

source network.

6. In the Destination Network and Destination Subnet Mask fields, enter the IP address and netmask for

the destination, the remote network to which the local network communicates. (See switch B in Figure 51)

7. Select one of the supported peer gateway types:

AOS-W 6.5.3.x | User Guide Virtual Private Networks | 366

Alcatel-Lucent AOS-W 6.5.3.x - Page 366