367| Virtual Private Networks AOS-W 6.5.3.x| User Guide
n IP Address: Select this option to identify the remote end point of the VPN tunnel using an IP address.
n FQDN:This option allows you to use same FQDN across different branches. The FQDN resolves to
different IP addresses for each branch, based on its local DNS setting.
8. Define the Peer Gateway using an IPaddress or FQDN.
n If you use IKEv1 to establish a site-to-site VPN for a statically addressed remote peer and selected
IPAddress in the previous step, enter the IP address of the interface used by the remote peer to
connect to the L3 network in the Peer Gateway field (See Interface B in Figure 51).
n If you are configuring an IPsec map for a dynamically addressed remote peer, and selected IPAddress in
the previous step, leave the peer gateway set to its default value of 0.0.0.0.
n If you selected FQDN as the peer gateway type in the previous step, enter the fully qualified domain
name for the remote peer.
9. If you use IKEv2 to establish a site-to-site VPN for a statically addressed remote peer, identify the peer
device by entering its certificate subject name in the Peer Certificate Subject Name field.
To identify the subject name of a peer certificate, issue the following command in the CLI:
show crypto-local pki servercert <certname> subject
10.The Security Association Lifetime parameter defines the lifetime of the security association in seconds
and kilobytes. The default value is 7200 seconds. To change this value, uncheck the default checkbox and
enter a value between 300 and 86400 seconds or 1000 and 1000000000 kilobytes.
11.Click the Version drop-down list and select V1 to configure the VPN for IKEv1, or V2 for IKEv2.
12.(Optional) Click the IKEv Policies drop-down list and select a predefined or custom IKE policy to apply to
the IPsec map. For more information on default IKE policies, see Table 85.
13.IKEv2 site-to-site VPNs between master and local OAW-40xx Series switches support traffic compression
between those devices. Select the IP Compression checkbox to enable compression for traffic in the site-
to-site tunnel.
14.Select the VLAN containing the interface of the local switch that connects to the Layer-3 network. (See
Interface A in Figure 51)
This determines the source IP address used to initiate IKE. If you select 0 or None, the default is the VLAN
of the switch’s IP address (either the VLAN where the loopback IP is configured, or VLAN 1 if no loopback IP
is configured).
15.If you enable Perfect Forward Secrecy (PFS) mode, new session keys are not derived from previously
used session keys. Therefore, if a key is compromised, that compromised key does not affect any previous
session keys. PFS mode is disabled by default. To enable this feature, click the PFS drop-down list and select
one of the following Perfect Forward Secrecy modes:
n group1 : 768-bit Diffie–Hellman prime modulus group.
n group2 : 1024-bit Diffie–Hellman prime modulus group.
n group14 : 2048-bit Diffie–Hellman prime modulus group.
n group19 : 256-bit random Diffie–Hellman ECP modulus group.
n group20 : 384-bit random Diffie–Hellman ECP modulus group.
16.Click the Route ACL name drop-down list and select the name of a routing access control list (ACL) to
attach a route ACL to inbound traffic on the VPN tunnel interface.
When you associate a routing ACL to inbound traffic on a switch terminating an L3 GRE tunnel, that ACL can
forward traffic as normal, routetraffic to a nexthop router on a nexthop list, or redirect traffic over an L3
GRE tunnel or tunnel group. For more information on creating a routing ACL, see Creating a Firewall Policy
on page 376
To Next Page
Loading...