17.Select Pre-Connect to establish the VPN connection, even if there is no traffic being sent from the local
network. If you do not select this, the VPN connection is established only when traffic is sent from the local
network to the remote network.
18.Select Trusted Tunnel if traffic between the networks is trusted. If you do not select this, traffic between
the networks is untrusted.
19.Select the Enforce NATT checkbox to enforce UDP 4500 for IKE and IPSEC. This option is disabled by
default.
20.Select the Force Tunnel Mode checkbox to enforce forced-tunnel mode instead of transport mode for
site-to-site IPsec SA. This option is disabled by default.
21.Add one or more transform sets to be used by the IPsec map. Click the Transform Sets drop-down list,
select an existing transform set, then click the arrow button by the drop-down list to add that transform set
to the IPsec map.
22.For site-to-site VPNs with dynamically addressed peers, enable Dynamically Addressed Peers.
a. Select Initiator if the dynamically addressed switch is the initiator of IKE Aggressive-mode for Site-Site
VPNs, or select Responder if the dynamically addressed switch is the responder for IKE Aggressive-
mode.
b. In the FQDN field, enter a fully qualified domain name (FQDN) for the switch. If the switch is defined as a
dynamically addressed responder, you can select all peers to make the switch a responder for all VPN
peers, or select Per Peer ID and specify the FQDN to make the switch a responder for one specific
initiator.
23.Select one of the following authentication types:
a. For pre-shared key authentication, select Pre-Shared Key, then enter a shared secret in the IKE Shared
Secret and Verify IKE Shared Secret fields. This authentication type is generally required in IPsec
maps for a VPN with dynamically addressed peers, but can also be used for a static site-to-site VPN.
b. For certificate authentication, select Certificate, then click the Server Certificate and CA certificate
drop-down lists to select certificates previously imported into the switch. See Management Access on
page 833 for more information.
24.Click Done to apply the site-to-site VPN configuration.
25.Click Apply.
26.Click the IPSEC tab to configure an IKE policy.
a. Under IKE Policies, click Add to open the IPSEC Add Policy configuration page.
b. Set the Priority to 1 for this configuration to take priority over the Default setting.
c. Set the Version type to match the IKE version you selected in Step 10.
d. Set the Encryption type from the drop-down list.
e. Set the HASH Algorithm from the drop-down list.
f. Set the Authentication to PRE-SHARE if you use pre-shared keys. If you use certificate-based IKE, select
RSA or ECDSA.
g. Set the Diffie–Hellman Group from the drop-down list.
h. The IKE policy selections, including any pre-shared key, must be reflected in the VPN client configuration.
When using a third-party VPN client, set the VPN configuration on clients to match the choices made
above. If you use the Alcatel-Lucent dialer, you must configure the dialer prior to downloading the dialer
onto the local client.
i. Click Done to activate the changes.
j. Click Apply.
AOS-W 6.5.3.x | User Guide Virtual Private Networks | 368
To Next Page
Loading...