Chapter 14

Virtual Private Networks

For wireless networks, virtual private network (VPN) connections can be used to further secure the wireless data from attackers. The Arubacontrollercan be used as a VPN concentrator that terminates all VPN connections from both wired and wireless clients.

This chapter describes the following topics:

• “VPN Configuration”

• “Remote Access VPN for L2TP IPsec”

• “Configuring Remote Access VPNs for XAuth”

• “Configuring a Remote Access VPN for PPTP”

• “Site-to-Site VPNs”

• “Aruba Dialer”

VPN Configuration

You can configure the controller for the following types of VPNs:

• Remote access VPNs allow hosts (for example, telecommuters or traveling employees) to connect to private networks (for example, a corporate network) over the Internet. Each host must run VPN client software which encapsulates and encrypts traffic and sends it to a VPN gateway at the destination network. The controllersupports the following remote access VPN protocols:

• Layer-2 Tunneling Protocol over IPsec (L2TP/IPsec)

• Point-to-Point Tunneling Protocol (PPTP)

• Site-to-site VPNs allow networks (for example, a branch office network) to connect to other networks (for example, a corporate network). Unlike a remote access VPN, hosts in a site-to-site VPN do not run VPN client software. All traffic for the other network is sent and received through a VPN gateway which encapsulates and encrypts the traffic.

Before enabling VPN authentication, you must configure the following:

• The default user role for authenticated VPN clients. See Chapter 10, “Roles and Policies” for information about configuring user roles.

• The authentication server group the controllerwill use to validate the clients. See Chapter 8, “Authentication Servers” for configuration details.

  A server-derived role, if present, takes precedence over the default user role.

You then specify the default user role and authentication server group in the VPN authentication defaultprofile, as described in the following sections.

VPN authentication

To configure VPN authentication via the WebUI:

1.    Navigate to the Configuration >Security >Authentication > L3 Authentication page.

2.    In the Profiles list, select the default VPN Authentication Profile.

3.    Select the Default Role from the drop-down menu.

4.    (Optional) Set Max Authentication failuresto an integer value (the default value is 0, which disables this feature). This number indicates the number of contiguous authentication failures before the station is blacklisted.

5.    Click Apply.

6.    In the default profile list, select Server Group.

7.    From the drop-down menu, select the server group to be used for VPN authentication.

8.    Click Apply.

To configure VPN authentication via the command-line interface, access the CLI in config mode andissue the following commands:

aaa authentication vpn default

   default-role <role>

   max-authentication-failure <number>

   server-group <name>

Supported VPN AAA Deployments

If you want to simultaneously deploy various combinations of a VPN client, RAP-psk, RAP-certs and CAP on the same controller, see Table 63.

Each row in this table specifies the allowed combinations of AAA servers for simultaneous deployment. Configuration rules include:

• RAP-certs can only use Local-DP-AP

• A RAP-psk and RAP-cert can only terminate on the same controller if the RAP VPN profile’s AAA server uses Local-db.

• If a RAP-psk is using an external AAA server, then the RAP-cert cannot be terminated on the same controller.

• Clients can use any type of AAA server irrespective of RAP/CAP authentication configuration server.

  Table 63 Supported VPN AAA Deployments (Continued)

  VPN Client	RAP psk	RAP certs	CAP
  External AAA server 1	LocalDB	LocalDB-AP	CPSEC-whitelist
  External AAA server 1	External AAA server 1	Not supported	CPSEC-whitelist
  External AAA server 1	External AAA server 2	Not supported	CPSEC-whitelist
  LocalDB	LocalDB	LocalDB-AP	CPSEC-whitelist
  LocalDB	External AAA server 1	Not supported	CPSEC-whitelist

Remote Access VPN for L2TP IPsec

The combination of Layer-2 Tunneling Protocol and Internet Protocol Security (L2TP/IPsec) is a highly-secure technology that enables VPN connections across public networks such as the Internet. L2TP/IPsec provides both a logical transport mechanism on which to transmit PPP frames as well as tunneling or encapsulation so that the PPP frames can be sent across an IP network. L2TP/IPsec relies on the PPP connection process to perform user authentication and protocol configuration. With L2TP/IPsec, the user authentication process is encrypted using the Data Encryption Standard (DES) or Triple DES (3DES) algorithm.

L2TP/IPsec requires two levels of authentication:

• Computer-level authentication with a preshared key to create the IPsec security associations (SAs) to protect the L2TP-encapsulated data.

• User-level authentication through a PPP-based authentication protocol using passwords, SecureID, digital certificates, or smart cards after successful creation of the SAs.

Configuring a VPN In the WebUI

Use the following procedures to use the WebUI to configure a remote access VPN for L2TP IPsec.

Authentication Method and Server Addresses

1.    Navigate to Configuration>Advanced Services > VPN Services and click the IPsectab.

2.    To enable L2TP, select Enable L2TP (this is enabled by default).

3.    Select the authentication method. Currently supported methods are:

• Password Authentication Protocol (PAP)

• Extensible Authentication Protocol (EAP)

• Challenge Handshake Authentication Protocol (CHAP)

• Microsoft Challenge Handshake Authentication Protocol (MSCHAP)

• MSCHAP version 2 (MSCHAPv2)

4.    Configure the IP addresses of the primary and secondary Domain Name System (DNS) servers and primary and secondary Windows Internet Naming Service (WINS) Server that will be pushed to the VPN client.

Define Address Pools

Next, define the pool from which the clients are assigned addresses.

1.    In the Address Pools section of the IPsec tab,click Addto open the Add Address Poolpage.

2.    Specify the start address, the end address and the pool name.

3.    Click Doneto apply the configuration.

Source NAT

1.    In the Source NATsection of the IPsec tab, select Enable Source NAT if the IP addresses of clients need to be translated to access the network

2.    If you enabled source NAT, click the NAT pooldrop-down list and select an existing NAT pool. If you have not yet created the NAT pool you want to use:

a.    Navigate to Configuration >IP > NAT Pools.

b.    Click Add.

c.    In the Pool Name field, enter a name for the new NAT pool, up to 63 alphanumeric characters.

d.    In the Start IP addressfield, enter the dotted-decimal IP address that defines the beginning of the range of source NAT addresses in the pool.

e.    In the End IP addressfield, enter the dotted-decimal IP address that defines the end of the range of source NAT addresses in the pool.

f.      In the Destination NAT IP Address field, enter the destination NAT IP address in dotted-decimal format. If you do not enter an address into this field, the NAT pool will use the destination NAT IP 0.0.0.0.

g.    Click Done to close the NAT pools tab

h.    Navigate to Configuration >Advanced Services > VPN Services and click the IPsectab to return to the IPsec window.

i.      Click the NAT Pool drop-down list and select the NAT pool you just created.

IKE Shared Secrets

You can configure a global IKE key or configure an IKE key for each subnet. Make sure that this key matches the key on the client.

1.    In the IKE Shared Secrets section, click Add to open the Add IKE Secret page.

2.    Enter the subnet and subnet mask. To make the IKE key global, specify 0.0.0.0 and 0.0.0.0 for both values.

3.    Enter theIKE Shared Secret and Verify IKE Shared Secret.

4.    Click Doneto apply the configurations.

IKE Policies

1.    In the IKE Policies section,click Addto open the IPsec Add Policy configuration page.

2.    Set the Priorityto 1 for this configuration to take priority over the Default setting.

3.    Set the Encryption type from the drop-down menu.

4.    Set the HASH Algorithm to SHA or MD5.

5.    Set the Authentication to Pre-Share.

6.    Set the Diffie Hellman Group to Group 1 or Group 2.

The IKE policy selections, along with the preshared key, need to be reflected in the VPN client configuration. When using a third-party VPN client, set the VPN configuration on clients to match the choices made above. In case the Arubadialer is used, these configuration need to be made on the dialer prior to downloading the dialer onto the local client.

7.    Click Doneto activate the changes.

8.    Click Applyto apply the changes made before navigating to other pages.

Configuring a VPN In the CLI

Use the following procedures to use the command-line interface to configure a remote access VPN for L2TP IPsec.

Authentication Method and Server Addresses

vpdn group l2tp

   enable

   ppp authentication {cache-securid|chap|eap|mschap|mschapv2|pap}

   client configuration {dns|wins} <ipaddr1> [<ipaddr2>]

Address Pools

ip local pool <pool> <start-ipaddr> <end-ipaddr>

Source NAT

ip access-list session srcnat
   user any any src-nat pool <pool> position 1

IKE Shared Secrets

crypto isakmp key <key> address <ipaddr> netmask <mask>

IKE Policies

crypto isakmp policy <priority>

   encryption {3des|aes128|aes192|aes256|des}

   authentication {pre-share|rsa-sig}

   group {1|2}

   hash {md5|sha}

   lifetime <seconds>

Configuring a VPN for Smart Card Clients

This section describes how to configure a remote access VPN on the controllerfor Microsoft L2TP/IPsec clients with smart cards. (A smart card contains a digital certificate which allows user-level authentication without the user entering a username and password.) As described previously in this section, L2TP/IPsec requires two levels of authentication: first, IKE SA authentication, and then user-level authentication with a PPP-based authentication protocol. Microsoft clients do not support smart card authentication for the IKE SA. Therefore, the IKE SA is authenticated with a preshared key, which you must configure as an IKE shared secret on the controller.

User-level authentication is performed by an external RADIUS server using PPP EAP-TLS. In this scenario, client and server certificates are mutually authenticated during the EAP-TLS exchange. During the authentication, the controllerencapsulates EAP-TLS messages from the client into RADIUS messages and forwards them to the server.

On the controller, you need to configure the following:

• User role for authenticated clients

• RADIUS server and the authentication server group to which the server belongs

• VPN authentication profile which defines the authentication server group and the default role assigned to authenticated clients

• L2TP/IPsec VPN with EAP as the PPP authentication

• IKE policy for preshared key authentication of the SA

  On the RADIUS server, you must configure a remote access policy to allow EAP authentication for smart card users and select a server certificate. The user entry in Microsoft Active Directory must be configured for smart cards.

In the WebUI

Use the following procedure to configure a L2TP/IPsec VPN for Microsoft smart card clients via the WebUI:

1.    Navigate to the Configuration >Security >Access Control > Policies page.

2.    Click Addto add a new policy.

a.    Enter the name of the policy (for example, authenticated). Default settings for a policy rule permit all traffic from any source to any destination, but you can make a rule more restrictive. You can also configure multiple rules; the first rule in a policy that matches the traffic is applied.

b.    Click Addto add a rule.

c.    When you are done adding rules, click Apply.

d.    Click the User Rolestab. Click Add to add a new user role.

e.    Enter the name of the role (for example, employee).

f.      Under Firewall Policies, click Add. In the Choose from Configured Policies drop-down list, select the policy you previously created. Click Done.

g.    Click Apply.

3.    Navigate to the Configuration >Security >Authentication > Servers page.

a.    Select Radius Server to display the Radius Server List.

b.    To configure a RADIUS server, enter the name for the server (for example, ias1) and click Add.

c.    Select the name to configure the IP address and key for the server. Select Mode to enable the server.

d.    Click Apply.

4.    In the Servers list, select Server Group.

a.    Enter the name of the new server group (for example, ias-server) and click Add.

b.    Select the name to configure the server group.

c.    Under Servers, click New to add a server to the group.

d.    Select the RADIUS server you just configured from the drop-down menu.

e.    Click Add Server.

f.      Click Apply.

5.    Navigate to the Configuration >Security >Authentication > L3 Authentication page.

a.    Select the default VPN Authentication Profile.

b.    From the Default Role drop-down menu, select employee.

c.    Click Apply.

d.    In the default VPN Authentication Profile, select Server Group.

e.    Select the server group you just configured from the drop-down menu.

f.      Click Apply.

6.    Navigate to the Configuration >Advanced Services >VPN Services > IPSECpage.

a.    Select Enable L2TP (this is enabled by default).

b.    Select EAP for Authentication Protocols.

c.    Configure the IP addresses of the primary and secondary Domain Name System (DNS) servers and primary and secondary Windows Internet Naming Service (WINS) Server that will be pushed to the VPN client.

d.    Under Address Pools, click Addto open the Add Address Poolpage.

e.    Specify the start address, the end address and the pool name.

f.      Click Doneto apply the configuration.

g.    Under IKE Shared Secrets, click Add to open the Add IKE Secret page.

h.    To make the IKE key global, specify 0.0.0.0 and 0.0.0.0 for both subnet and subnet mask (these are the default values).

i.      Enter theIKE Shared Secret and Verify IKE Shared Secret.

j.      Click Doneto apply the configurations.

k.    Under IKE Policies, click Addto open the IPsec Add Policy configuration page.

l.      Set the Priorityto 1 for this configuration to take priority over the Default setting.

m.  Set the Authentication to Pre-Share.

n.    Click Doneto activate the changes.

o.    Click Apply.

In the CLI

Use the following procedure to configure a L2TP/IPsec VPN for Microsoft smart card clients via the CLI:

ip access-list session authenticated

   any any any permit position 1

user-role employee

   access-list session authenticated

 

aaa authentication-server radius radius1

   host 1.1.1.254

   key 12345678

 

aaa server-group radius-server

   auth-server radius1

 

aaa authentication vpn default

   default-role employee

   server-group radius-server

 

vpdn group l2tp

   enable

   ppp authentication eap

   client dns 101.1.1.245

 

ip local pool sc-clients 10.1.1.1 10.1.1.250

 

crypto isakmp key 0987654 address 0.0.0.0 netmask 0.0.00

 

crypto isakmp policy 1

   authentication pre-share

Configuring VPNs for L2TP/IPsec Clients with Passwords

This section describes how to configure a remote access VPN on the controllerfor L2TP/IPsec clients with user passwords. As described previously in this section, L2TP/IPsec requires two levels of authentication: first, IKE SA authentication, and then user-level authentication with the PAP authentication protocol. IKE SA is authenticated with a preshared key, which you must configure as an IKE shared secret on the controller.

User-level authentication is performed by the controller’s internal database.

On the controller, you need to configure the following:

• User role for authenticated clients

• Internal database entries for username and passwords

• VPN authentication profile which defines the internal server group and the default role assigned to authenticated clients

• L2TP/IPsec VPN with PAP as the PPP authentication

• IKE policy for preshared key authentication of the SA

In the WebUI

Use the following procedure the configure L2TP/IPsec VPN for username/password clients via the WebUI:

1.    Navigate to the Configuration >Security >Access Control > Policies page.

2.    Click Addto add a new policy.

a.    Enter the name of the policy (for example, authenticated). Default settings for a policy rule permit all traffic from any source to any destination, but you can make a rule more restrictive. You can also configure multiple rules; the first rule in a policy that matches the traffic is applied.

b.    Click Addto add a rule.

c.    When you are done adding rules, click Apply.

d.    Click the User Rolestab. Click Add to add a new user role.

e.    Enter the name of the role (for example, employee).

f.      Under Firewall Policies, click Add. In the Choose from Configured Policies drop-down list, select the policy you previously created. Click Done.

g.    Click Apply.

3.    Navigate to the Configuration >Security >Authentication > Servers page.

a.    Select Internal DB to display entries for the internal database.

b.    Click Add User.

c.    Enter the username and password.

d.    Click Apply.

4.    Navigate to the Configuration >Security >Authentication > L3 Authentication page.

a.    Select default VPN Authentication Profile.

b.    From the Default Role drop-down menu, select employee.

c.    Click Apply.

d.    Under default VPN Authentication Profile, select Server Group.

e.    Select the internal server group from the drop-down menu.

f.      Click Apply.

5.    Navigate to the Configuration >Advanced Services >VPN Services > IPSECpage.

a.    Select Enable L2TP (this is enabled by default).

b.    Select PAP for Authentication Protocols.

c.    Configure the IP addresses of the primary and secondary Domain Name System (DNS) servers and primary and secondary Windows Internet Naming Service (WINS) Server that will be pushed to the VPN client.

d.    Under Address Pools, click Addto open the Add Address Poolpage.

e.    Specify the start address, the end address and the pool name.

f.      Click Doneto apply the configuration.

g.    Under IKE Shared Secrets, click Add to open the Add IKE Secret page.

h.    To make the IKE key global, specify 0.0.0.0 and 0.0.0.0 for both subnet and subnet mask (these are the default values).

i.      Enter theIKE Shared Secret and Verify IKE Shared Secret.

j.      Click Doneto apply the configurations.

k.    Under IKE Policies, click Addto open the IPSEC Add Policy configuration page.

l.      Set the Priorityto 1 for this configuration to take priority over the Default setting.

m.  Set the Authentication to Pre-Share.

n.    Click Doneto activate the changes.

o.    Click Apply.

Next, you must configure client entries in the internal database.

1.    Navigate to the Configuration >Security >Authentication > Servers page.

2.    Select Internal DB.

3.    Click Add User in the Users section. The user configuration page displays.

4.    Enter information for the client.

5.    Click Enabled to activate this entry on creation.

6.    Click Apply to apply the configuration.

In the CLI

To configure L2TP/IPsec VPN for username/password clientsvia the command-line interface, issue the following commands in config mode.

ip access-list session authenticated

   any any any permit position 1

user-role employee

   access-list session authenticated

 

aaa authentication vpn default

   default-role employee

   server-group internal

 

vpdn group l2tp

   enable

   ppp authentication pap

   client dns 101.1.1.245

 

ip local pool pw-clients 10.1.1.1 10.1.1.250

 

crypto isakmp key 0987654 address 0.0.0.0 netmask 0.0.00

 

crypto isakmp policy 1

   authentication pre-share

Next, issue the following command in enablemode to configure client entries in the internal database:

local-userdb add username <name> password <password>

Configuring Remote Access VPNs for XAuth

Extended Authentication (XAuth) is an Internet Draft that allows user authentication after IKE Phase 1 authentication. This authentication prompts the user for a username and password, with user credentials authenticated with an external RADIUS or LDAP server or the controller’s internal database. Alternatively, the user can start the client with a smart card which contains a digital certificate to verify the client credentials. IKE Phase 1 authentication can be done with either an IKE preshared key or digital certificates.

In the WebUI

Use the following procedures to configure a remote access VPN for XAuth via the WebUI:

Authentication Method and Server Addresses

1.    Navigate to the Configuration >Advanced Services >VPN Services > IPSECpage.

2.    To enable or disable Extended Authentication (XAuth), select or deselect Enable XAuth(this is enabled by default).

Disable XAuth if the VPN client is authenticated using a smart card. After successful IKE main mode exchange, the controllerextracts the values of the Principal name (SubjectAltname in X.509 certificates) or Common Name fields from the digital certificate in the smart card and authenticates them with the authentication server. The authentication server can be an external RADIUS or LDAP server or the internal database.

3.    Configure the IP addresses of the primary and secondary Domain Name System (DNS) servers and primary and secondary Windows Internet Naming Service (WINS) Server that will be pushed to the VPN client.

Address Pools

This is the pool from which the clients are assigned addresses.

1.    Navigate to the Configuration >Advanced Services >VPN Services > IPSECpage

2.    Under Address Pools, click Addto open the Add Address Poolpage.

3.    Specify the start address, the end address and the pool name.

4.    Click Doneto apply the configuration.

Source NAT

Use this option if the IP addresses of clients need to be translated to access the network. To use this option, you must have created a NAT pool by navigating to the Configuration >IP > NAT Poolspage.

Aggressive Mode

For XAuth clients, the Phase 1 IKE exchange can be either Main Mode or Aggressive Mode. Aggressive Mode condenses the IKE SA negotiations into three packets (versus six packets for Main Mode). A groupassociates the same set of attributes to multiple clients.

Enter the authentication group name for aggressive mode. Make sure that the group name matches the group name configured in the VPN client software.

Server Certificate

You can specify a single server certificate for VPN clients. The server certificate must be imported into the controller, as described in Chapter 29, “Management Access” Select the server certificate from the drop-down list.

CA Certificate for VPN Clients

You can assign one or more trusted CA certificates to VPN clients. The trusted CA certificate must be imported into the controller, as described in Chapter 29, “Management Access” .

1.    Under CA Certificate Assigned for VPN-clients, click Add.

2.    Select a CA certificate from the drop-down list of CA certificates imported in the controller.

3.    Click Done.

4.    Repeat the above steps to add additional CA certificates.

IKE Shared Secrets

You can configure a global IKE key or configure an IKE key for each subnet. Make sure that this key matches the key on the client.

1.    Under IKE Shared Secrets, click Add to open the Add IKE Secret page.

2.    Enter the subnet and subnet mask. To make the IKE key global, specify 0.0.0.0 and 0.0.0.0 for both values.

3.    Enter theIKE Shared Secret and Verify IKE Shared Secret.

4.    Click Doneto apply the configurations.

IKE Policies

1.    Under IKE Policies, click Addto open the IPSEC Add Policy configuration page.

2.    Set the Priorityto 1 for this configuration to take priority over the Default setting.

3.    Set the Encryption type from the drop-down menu.

4.    Set the HASH Algorithm to SHA or MD5.

5.    Set the Authentication to Pre-Share or RSA. If you are using certificate-based IKE, select RSA.

6.    Set the Diffie Hellman Group to Group 1 or Group 2.

The IKE policy selections, along with the preshared key, need to be reflected in the VPN client configuration. When using a third party VPN client, set the VPN configuration on clients to match the choices made above. In case the Arubadialer is used, these configuration need to be made on the dialer prior to downloading the dialer onto the local client.

7.    Click Doneto activate the changes.

8.    Click Applyto apply the changes made before navigating to other pages.

In the CLI

Authentication Method and Server Addresses

vpdn group l2tp

   enable

   ppp authentication {cache-securid|chap|mschap|mschapv2|pap}

   client configuration {dns|wins} <ipaddr1> [<ipaddr2>]

{crypto-local isakmp xauth | no crypto-local isakmp xauth}

Address Pools

ip local pool <pool> <start-ipaddr> <end-ipaddr>

Source NAT

ip access-list session srcnat
   user any any src-nat pool <pool> position 1

Aggressive Mode

crypto isakmp groupname <name>

Server Certificate

crypto-local isakmp server-certificate <name>

CA Certificate Assigned for VPN Clients

crypto-local isakmp ca-certificate <cacert-name>

IKE Shared Secrets

crypto isakmp key <key> address <ipaddr> netmask <mask>

IKE Policies

crypto isakmp policy <priority>

   encryption {3des|aes128|aes192|aes256|des}

   authentication {pre-share|rsa-sig}

   group {1|2}

   hash {md5|sha}

   lifetime <seconds>

Configuring VPNs for XAuth Clients using Smart Cards

This section describes how to configure a remote access VPN on the controllerfor Cisco VPN XAuth clients using smart cards. (A smart card contains a digital certificate which allows user-level authentication without the user entering a username and password.) IKE Phase 1 authentication can be done with either an IKE preshared key or digital certificates; in this example, digital certificates must be used for IKE authentication. The client is authenticated with the internal database on the controller.

On the controller, you need to configure the following:

• User role for authenticated clients

• Entries for Cisco VPN XAuth clients in the controller’s internal database

  For each client, you need to create an entry in the internal database with the entire Principal name (SubjectAltname in X.509 certificates) or Common Name as it appears on the certificate.

• VPN authentication default profile which defines the internal authentication server group and the default role assigned to authenticated clients

• Disable XAuth to disable prompting for the username and password (user credentials are extracted from the smart card)

• Server certificate to authenticate the controller to clients

• CA certificate to authenticate VPN clients

You must install server and CA certificates in the controller, as described in Chapter 29, “Management Access” .

• IKE policy for RSA (certificate-based) authentication of the SA

In the WebUI

The following procedure describes the steps to configure VPN for Cisco Smart Card Clients via the WebUI:

1.    Navigate to the Configuration >Security >Access Control > Policies page.

2.    Click Addto add a new policy.

a.    Enter the name of the policy (for example, authenticated). Default settings for a policy rule permit all traffic from any source to any destination, but you can make a rule more restrictive. You can also configure multiple rules; the first rule in a policy that matches the traffic is applied.

b.    Click Addto add a rule.

c.    When you are done adding rules, click Apply.

d.    Click the User Rolestab. Click Add to add a new user role.

e.    Enter the name of the role (for example, employee).

f.      Under Firewall Policies, click Add. In the Choose from Configured Policies drop-down list, select the policy you previously created. Click Done.

g.    Click Apply.

3.    Navigate to the Configuration >Security >Authentication > L3 Authentication page.

a.    Select default VPN Authentication Profile.

b.    From the Default Role drop-down menu, select employee.

c.    Click Apply.

d.    Under default VPN Authentication Profile, select Server Group.

e.    Select the server group internal from the drop-down menu.

f.      Click Apply.

4.    Navigate to the Configuration >Advanced Services >VPN Services > IPSECpage.

a.    Select Enable L2TP (this is enabled by default).

b.    Deselect Enable XAuth (this is enabled by default).

c.    Configure the IP addresses of the primary and secondary Domain Name System (DNS) servers and primary and secondary Windows Internet Naming Service (WINS) Server that will be pushed to the VPN client.

d.    Under Address Pools, click Addto open the Add Address Poolpage.

e.    Specify the start address, the end address and the pool name.

f.      Click Doneto apply the configuration.

g.    Select the server certificate the controller will use to authenticate itself to clients.

h.    Select the CA certificate the controllerwill use to validate clients. Click Done.

i.      Under IKE Policies, click Addto open the IPSEC Add Policy configuration page.

j.      Set the Priorityto 1 for this configuration to take priority over the Default setting.

k.    Set the Authentication to RSA.

l.      Click Doneto activate the changes.

m.  Click Apply.

Next, configure client entries in the internal database:

1.    Navigate to the Configuration >Security >Authentication > Servers page.

2.    Select Internal DB.

3.    Click Add User in the Users section. The user configuration page displays.

4.    Enter information for the client.

5.    Click Enabled to activate this entry on creation.

6.    Click Apply to apply the configuration.

In the CLI

The following procedure describes the steps to configure VPN for Cisco Smart Card Clients via the CLI:

ip access-list session authenticated

   any any any permit position 1

user-role employee

   access-list session authenticated

 

aaa authentication vpn default

   default-role employee

   server-group internal

 

no crypto-local isakmp xauth

 

vpdn group l2tp

   enable

   client dns 101.1.1.245

 

ip local pool sc-clients 10.1.1.1 10.1.1.250

 

crypto-local isakmp server-certificate ServerCert1

crypto-local isakmp ca-certificate TrustedCA1

 

crypto isakmp policy 1

   authentication rsa-sig

Enter the following command in enable mode to configure client entries in the internal database:

local-userdb add username <name> password <password>

Configuring VPNs for XAuth Clients Using a Username/Password

This section describes how to configure a remote access VPN on the controllerfor Cisco VPN XAuth clients using passwords. IKE Phase 1 authentication is done with an IKE preshared key; the user is then prompted to enter their username and password which is verified with the internal database on the controller.

On the controller, you need to configure the following:

• User role for authenticated clients

• Entries for Cisco VPN XAuth clients in the controller’s internal database

• VPN authentication profile which defines the internal authentication server group and the default role assigned to authenticated clients

• Enable XAuth to prompt for the username and password

• IKE policy for preshared key authentication of the SA

In the WebUI

To configure a VPN for Cisco VPN XAuth clients using a username and passwords via the WebUI:

1.    Navigate to the Configuration >Security >Access Control > Policies page.

2.    Click Addto add a new policy.

a.    Enter the name of the policy (for example, authenticated). Default settings for a policy rule permit all traffic from any source to any destination, but you can make a rule more restrictive. You can also configure multiple rules; the first rule in a policy that matches the traffic is applied.

b.    Click Addto add a rule.

c.    When you are done adding rules, click Apply.

d.    Click the User Rolestab. Click Add to add a new user role.

e.    Enter the name of the role (for example, employee).

f.      Under Firewall Policies, click Add. In the Choose from Configured Policies drop-down list, select the policy you previously created. Click Done.

g.    Click Apply.

3.    Navigate to the Configuration >Security >Authentication > L3 Authentication page.

a.    Select the default VPN Authentication Profile.

b.    From the Default Role drop-down menu, select employee.

c.    Click Apply.

d.    Under the defaultVPN Authentication Profile, select Server Group.

e.    Select the server group internal from the drop-down menu.

f.      Click Apply.

4.    Navigate to the Configuration >Advanced Services >VPN Services > IPSECpage.

a.    Select Enable L2TP (this is enabled by default).

b.    Select Enable XAuth (this is enabled by default).

c.    Configure the IP addresses of the primary and secondary Domain Name System (DNS) servers and primary and secondary Windows Internet Naming Service (WINS) Server that will be pushed to the VPN client.

d.    Under Address Pools, click Addto open the Add Address Poolpage.

e.    Specify the start address, the end address and the pool name.

f.      Click Doneto apply the configuration.

g.    Under IKE Shared Secrets, click Add to open the Add IKE Secret page.

h.    To make the IKE key global, specify 0.0.0.0 and 0.0.0.0 for both subnet and subnet mask (these are the default values).

i.      Enter theIKE Shared Secret and Verify IKE Shared Secret.

j.      Click Doneto apply the configurations.

k.    Under IKE Policies, click Addto open the IPSEC Add Policy configuration page.

l.      Set the Priorityto 1 for this configuration to take priority over the Default setting.

m.  Set the Authentication to Pre-Share.

n.    Click Doneto activate the changes.

o.    Click Apply.

Next, configure client entries in the internal database

1.    Navigate to the Configuration >Security >Authentication > Servers page.

2.    Select Internal DB.

3.    Click Add User in the Users section. The user configuration page displays.

4.    Enter information for the client.

5.    Click Enabled to activate this entry on creation.

6.    Click Apply to apply the configuration.

In the CLI

To configure a VPN for Cisco VPN XAuth clients using a username and passwords via the CLI:

ip access-list session authenticated

   any any any permit position 1

user-role employee

   access-list session authenticated

 

aaa authentication vpn default

   default-role employee

   server-group internal

 

crypto-local isakmp xauth

 

vpdn group l2tp

   enable

   client dns 101.1.1.245

 

ip local pool pw-clients 10.1.1.1 10.1.1.250

 

crypto isakmp key 0987654 address 0.0.0.0 netmask 0.0.00

 

crypto isakmp policy 1

   authentication pre-share

Enter the following command in enable mode to configure client entries in the internal database:

local-userdb add username <name> password <password>

Configuring a Remote Access VPN for PPTP

Point-to-Point Tunneling Protocol (PPTP) is an alternative to L2TP/IPsec. Like L2TP/IPsec, PPTP provides a logical transport mechanism to send PPP frames as well as tunneling or encapsulation so that the PPP frames can be sent across an IP network. PPTP relies on the PPP connection process to perform user authentication and protocol configuration.

With PPTP, data encryption begins after PPP authentication and connection process is completed. PPTP connections use Microsoft Point-to-Point Encryption (MPPE), which uses the Rivest-Shamir-Aldeman (RSA) RC-4 encryption algorithm. PPTP connections require user-level authentication through a PPP-based authentication protocol (MSCHAPv2 is the currently-supported method).

In the WebUI

1.    Navigate to theConfiguration >Advanced Services >VPN Services > PPTPpage.

2.    To enable PPTP, select Enable PPTP.

3.    Select the authentication protocol. The currently-supported method is MSCHAPv2.

4.    Configure the primary and secondary DNS servers and primary and secondary WINS Server that will be pushed to the VPN Dialer.

5.    Configure the VPN Address Pool.

a.    Click Add. The Add Address Pool page displays.

b.    Specify the pool name, start address, and end address.

c.    Click Done on completion to apply the configuration.

6.    Click Applyto apply the changes made before navigating to other pages.

In the CLI

vpdn group pptp
   enable

   client configuration {dns|wins} <ipaddr1> [<ipaddr2>]

   ppp authentication {mschapv2}

pptp ip local pool <pool> <start-ipaddr> <end-ipaddr>

Site-to-Site VPNs

Site-to-site VPN allows sites at different physical locations to securely communicate with each other over a Layer-3 network such as the Internet. You can use Arubacontrollersinstead of VPN concentrators to connect the sites. Or, you can use a VPN concentrator at one site and a controller at the other site.

An Arubacontroller supports the following IKE SA authentication methods for site-to-site VPNs:

• Preshared key: the same IKE shared secret must be configured on both the local and remote sites.

• Digital certificates: You can configure a server certificate and a CA certificate for each site-to-site VPN IPsec map configuration. For more information about importing server and CA certificates into the controller, see Chapter 29, “Management Access”.

  Certificate-based authentication is only supported for site-to-site VPN between two controllerswith static IP addresses.

Site-to-Site VPNs with Dynamic IP Addresses

ArubaOSsupports site-to-site VPNs with two statically addressed controllers, or with one static and one dynamically addressed controller. By default, site-to-site VPN uses IKE Main-mode with Pre-Shared-Keys to authenticate the IKE SA. This method uses the IP address of the peer, and therefore will not work for dynamically addressed peers.

To support site-site VPN with dynamically addressed devices, you must enable IKE Aggressive-Mode with Authentication based on a Pre-Shared-Key. The Arubacontrollerwith a dynamic IP address must be configured to be the initiatorof IKE Aggressive-mode for Site-Site VPN, while the controllerwith a static IP address must be configured as the responder of IKE Aggressive-mode.

VPN Topologies

You must configure VPN settings on the controllersat both the local and remote sites. In the following figure, a VPN tunnel connects Network A to Network B across the Internet.

Figure 55 Site-to-Site VPN Configuration Components

 

To configure the VPN tunnel on controller A, you need to configure the following:

• The source network (Network A)

• The destination network (Network B)

• The VLAN on which the controllerA’s interface to the Layer-3 network is located (Interface A in the Figure 55)

• The peer gateway, which is the IP address of controllerB’s interface to the Layer-3 network (Interface B in the Figure 55)

  Configure VPN settings on the controllers at both the local and remote sites.

Configuring site-to-site VPNs

Use the following procedures to create a site-to-site VPN via the WebUI or command-line interfaces.

In the WebUI

1.    Navigate to the Configuration >Advanced Services >VPN Services > Site-to-Site page.

2.    Under IPsec Maps, click Add to open the Add IPsec Map page.

3.    Enter a name for this VPN connection in the Name field.

4.    Enter the IP address and netmask for the source (the local network connected to the controller) in the Source Networkand Source Subnet Maskfields, respectively. (See controllerA in Figure 55)

5.    Enter the IP address and netmask for the destination (the remote network to which the local network will communicate) in the Destination Networkand Destination Subnet Maskfields, respectively. (See controllerB in Figure 55.)

6.    In the Peer Gatewayfield, enter the IP address of the interface on the remote controllerthat connects to the Layer-3 network. (See Interface B in Figure 55.) If you are configuring an IPsec map for a dynamically addressed remote peer, you must leave the peer gateway set to its default value of 0.0.0.0.

7.    The Security Association Lifetimeparameter defines the lifetime of the security association, in seconds. The default value is 7200 seconds. To change this value, uncheck the defaultcheckbox and enter a value from 300 to 86400 seconds.

8.    Select the VLANthat contains the interface of the local controllerwhich connects to the Layer-3 network. (See Interface A in Figure 55.)

This determines the source IP address used to initiate IKE. If you select 0 or None, the default is the VLAN of the controller’s IP address (either the VLAN where the loopback IP is configured or VLAN 1 if no loopback IP is configured).

9.    If you enable Perfect Forward Secrecy (PFS) mode, new session keys are not derived from previously used session keys. Therefore, if a key is compromised, that compromised key will not affect any previous session keys. PFS mode is disabled by default. To enable this feature, click the PFSdrop-down list and select one of the following Perfect Forward Secrecy modes:

• group1:Use the 768-bit Diffie Hellman prime modulus group.

• group2: Use the 1024-bit Diffie Hellman prime modulus group.

10. Select Pre-Connectto have the VPN connection established even if there is no traffic being sent from the local network. If this is not selected, the VPN connection is only established when traffic is sent from the local network to the remote network.

11. Select Trusted Tunnelif traffic between the networks is trusted. If this is not selected, traffic between the networks is untrusted.

12. Select the Enforce NATTcheckbox to always enforce UDP 4500 for IKE and IPSEC. This option is disabled by default.

13. For VPNs with dynamically addressed peers, click the Dynamically Addressed Peerscheckbox.

a.    Select Initiatorif the dynamically addressed switch is the initiator of IKE Aggressive-mode for Site-Site VPN, or select Responderif the dynamically addressed switch is the responderfor IKE Aggressive-mode.

b.    In the FQDNfield, enter a fully qualified domain name (FQDN) for the controller. If the controlleris defined as a dynamically addressed responder, you can select all peersto make the controllera responder for all VPN peers, or select Per Peer IDand specify the FQDN to make the controllera responder for one a specific initiator only.

14. Select an authentication type. For pre-shared key authentication, select Pre-Shared Key, then enter a shared secret in the IKE Shared Secretand Verify IKE Shared Secret fields. This authentication type is required in IPsec mapsfor a VPN with a dynamically addressed peer.

-or-

For certificate authentication, select Certificate, then click the Server Certificateand CA certificatedrop-down lists to select certificates previously imported into the controller. See Chapter 29, “Management Access” for more information.

15. Click Done to apply the site-to-site VPN configuration.

16. Click Apply.

17. Click the IPsec tab to configure an IKE policy that uses RSA authentication.

a.    Under IKE Policies, click Addto open the IPSEC Add Policy configuration page.

b.    Set the Priorityto 1 for this configuration to take priority over the Default setting.

c.    Set the Encryption type from the drop-down menu.

d.    Set the HASH Algorithm to SHAor MD5.

e.    Set the Authentication to PRE-SHARE if you are using preshared keys. If you are using certificate-based IKE, select RSA.

f.      Set the Diffie Hellman Group to Group 1or Group 2.

g.    The IKE policy selections, along with the preshared key, need to be reflected in the VPN client configuration. When using a third party VPN client, set the VPN configuration on clients to match the choices made above. If the Arubadialer is used, you must configure the dialer prior to downloading the dialer onto the local client.

h.    Click Doneto activate the changes.

i.      Click Apply.

In the CLI

To configure a site-to-site VPN with two static IP controllers via the CLI, issue the following commands:

crypto-local ipsec-map <name> <priority>

   src-net <ipaddr> <mask>

   dst-net <ipaddr> <mask>

   peer-ip <ipaddr>

   vlan <id>

   pre-connect enable|disable

   trusted enable

 

For certificates:

   set ca-certificate <cacert-name>

   set server-certificate <cert-name>

 

crypto isakmp policy <priority>

   encryption {3des|aes128|aes192|aes256|des}

   authentication rsa-sig

   group {1|2}

   hash {md5|sha}

   lifetime <seconds>

For preshared key:

crypto-local isakmp key <key>address <ipaddr> netmask <mask>

 

crypto isakmp policy <priority>

   encryption {3des|aes128|aes192|aes256|des}

   authentication pre-share

   group {1|2}

   hash {md5|sha}

   lifetime <seconds>

Toconfigure site-to-site VPN with a static and a dynamically addressed controller that initiates IKE Aggressive-mode for Site-Site VPN:

crypto-local ipsec-map <name> <priority>

   src-net <ipaddr> <mask>

   dst-net <ipaddr> <mask>

   peer-ip <ipaddr>

local-fqdn <local_id_fqdn>

   vlan <id>

   pre-connect enable|disable

   trusted enable

For the Pre-shared-key:

crypto-local isakmp key <key> address <ipaddr> netmask 255.255.255.255

 

For a static IP controller that responds to IKE Aggressive-mode for Site-Site VPN:

 

crypto-local ipsec-map <name2> <priority>

src-net <ipaddr> <mask>

dst-net <ipaddr> <mask>

peer-ip 0.0.0.0

peer-fqdn fqdn-id <peer_id_fqdn>

vlan <id>

trusted enable

For the Pre-shared-key:

crypto-local isakmp key <key> fqdn <fqdn-id>

For a static IP controllerthat responds to IKE Aggressive-mode for Site-Site VPN with One PSK for All FQDNs:

crypto-local ipsec-map <name2> <priority>

src-net <ipaddr> <mask>

peer-ip 0.0.0.0

peer-fqdn any-fqdn

vlan <id>

trusted enable

For the Pre-shared-key for All FQDNs:

crypto-local isakmp key <key> fqdn-any

Dead Peer Detection

Dead Peer Detection (DPD) is enabled by default on the controllerfor site-to-site VPNs. DPD, as described in RFC 3706, “A Traffic-Based Method of Detecting Dead Internet Key Exchange (IKE) Peers,” uses IPsec traffic patterns to minimize the number of IKE messages required to determine the liveness of an IKE peers.

To configure DPD parameters, issue the following commands via the command-line interface.

crypto-local isakmp dpd idle-timeout <idle_seconds> retry-timeout <retry_seconds>retry-attempts <number>

Aruba Dialer

For Windows clients, a dialer can be downloaded from the controllerto auto-configure tunnel settings on the client.

Configuring the Aruba Dialer

Use the following proceduresto configure the Aruba dialer via the WebUI or command-line interfaces

In the WebUI

1.    Navigate to the Configuration >Advanced Services >VPN Services > Dialerspage. Click Addto add a new dialer or click the Edittab to edit an existing dialer.

2.    Enter the Dialer Namethat will be used to identify this setting.

3.    Configure the dialer to work with PPTP or L2TP by selecting the Enable PPTP or the Enable L2TP checkbox.

4.    Select the authentication protocol. This should match the L2TP protocol list selected if Enable L2TP is checked or the PPTP list configured if Enable PPTP is checked.

5.    For L2TP:

• Set the IKE Hash Algorithm to SHA or MD5 as in the IKE policy on the Advanced Services > VPN Services > IPSEC page.

• If a preshared key is configured for IKE Shared Secrets in the VPN Services > IPSEC page, enter the key.

• The key you enter in the Dialers page must match the preshared key configured on the IPSEC page.

• Select the IPSEC Mode Group that matches the Diffie Hellman Group configured for the IPSEC policy.

• Select the IPSEC Encryption that matches the Encryption configured for the IPSEC policy.

• Select the IPSEC Hash Algorithm that matches the Hash Algorithm configured for the IPSEC policy.

6.    Click Doneto apply the changes made prior to navigating to another page.

In the CLI

Issue the following commands to configure the Aruba dialer via the CLI:

vpn-dialer <name>

   enable {dnctclear|l2tp|pptp|secureid_newpinmode|wirednowifi}

   ike authentication {pre-share <key>|rsa-sig}

   ike encryption {3des|des}

   ike group {1|2}

   ike hash {md5|sha}

   ipsec encryption {esp-3des|esp-des}

   ipsec hash {esp-md5-hmac|esp-sha-hmac}

   ppp authentication {cache-securid|chap|mschap|mschapv2|pap}

Assigning a Dialer to a User Role

The VPN dialer can be downloaded using Captive Portal. For the user role assigned through Captive Portal, configure the dialer by the name used to identify the dialer.

For example, if the captive portal client is assigned the guestrole after logging on through captive portal and the dialer is called mydialer, configure mydialer as the dialer to be used in the guest role.

In the WebUI

1.    Navigate to the Configuration >Security >Access Control > User Roles page.

2.    Click Edit for the user role.

3.    Under VPN Dialer, select the dialer you configured and click Change.

4.    Click Apply.

In the CLI

To configure the captive portal dialer for a user role via the command-line interface, access the CLI in config mode and issue the following commands:

user-role <role>

   dialer <name>