Alcatel-Lucent AOS-W 6.5.3.x

To Next Page

To Previous Page

371| Virtual Private Networks AOS-W 6.5.3.x| User Guide

Adding ANY-ANYCrypto Map

Starting fromAOS-W 6.5.1.0, any-any selectors are negotiated in IKEv1 to enable the option of having

numerous tunnels. After pre-connect flag is enabled for IPsec map, IKE triggers the tunnel to the peer ip and

proposes any-any traffic selector.

Policy Based Routing (PBR)can also be configured to send specific or all traffic on to the ipsec map and can be

applied to any vlan, port, or user role.

Policy Based Routing is required for any-any traffic selector and is supported only for IKEv1.

Data traffic trigger is not supported in AOS-W 6.5.1.0.

In the WebUI

To enable crypto map to allow any any traffic selector, perform the following steps in the WebUI:

1. Navigate to Configuration > Advanced Services > VPN Services > Advanced tab.

2. Under IPSec Maps click Add.

3. Enter a Name.

4. Select Anyoption from the Source Network Type field.

5. Select Anyoption from the Destination Network Type field.

6. Click Done.

7. Click Apply.

In the CLI

Execute the following commands to enable crypto map to allow any any traffic selector:

(host) (config-ipsec-map)# src-net any

(host) (config-ipsec-map)# dst-net any

Execute the following commands to configure PBR to send all or specific traffic onto the IPsec map:

(host) (config) #ip access-list route ipsec-pbr

(host) (config-route-ipsec-pbr)#any any any route ipsec-map <ipsec-map-name>

Execute the following command to apply PBR to vlan, port, or user role:

(host) (config) #interface vlan <id>

(host) (config-subif) #ip access-group <name> in

Detecting Dead Peers

Dead Peer Detection (DPD) is enabled by default on the switch for site-to-site VPNs. DPD, as described in RFC

3706, “A Traffic-Based Method of Detecting Dead Internet Key Exchange (IKE) Peers,” uses IPsec traffic

patterns to minimize the number of IKE messages required to determine the liveliness of an IKE peer.

After a dead peer is detected, the switch tears down the IPsec session. Once the network path or other failure

condition has been corrected, a new IPsec session is automatically re-established.

To configure DPD parameters, issue the following commands through the CLI:

(host)(config) #crypto-local isakmp dpd idle-timeout <idle_seconds> retry-timeout <retry_

seconds> retry-attempts <number>

About Default IKE Policies

AOS-W includes the following default IKE policies. These policies are predefined, but can be edited and deleted.

You can do this in the CLI by using the crypto isakmp policy and crypto dynamic-map commands, or the

WebUI by navigating to Advanced Services > VPN Services > IPSEC and using the Delete button next to

the default IKE policy or IPsec dynamic map you want to delete.

Alcatel-Lucent AOS-W 6.5.3.x - Page 371