Configuring a VPN for L2TP/IPsec with IKEv2

Only clients running Windows 7 (and later versions), StrongSwan 4.3, and Aruba VIA Virtual Intranet Access. VIA provides secure remote network connectivity for Android, Apple iOS, Mac OS X, and Windows mobile devices and laptops. It automatically scans and selects the best secure connection to the corporate network. support IKEv2 Internet Key Exchange version 2. IKEv2 uses the secure channel established in Phase 1 to negotiate Security Associations on behalf of services such as IPsec. IKEv2 uses pre-shared key and Digital Signature for authentication. See RFC 4306. . For additional information on the authentication types supported by these clients, see “Working with IKEv2 Clients ."

The following procedure describes how to configure a remote access VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. for IKEv2 Internet Key Exchange version 2. IKEv2 uses the secure channel established in Phase 1 to negotiate Security Associations on behalf of services such as IPsec. IKEv2 uses pre-shared key and Digital Signature for authentication. See RFC 4306. clients using certificates:

Defining Authentication Method and Server Addresses

Defining Address Pools

Enabling Source NAT

Selecting Certificates

Configuring IKE Policies

Setting the IPsec Dynamic Map

Defining Authentication Method and Server Addresses

The following procedure describes how to define the authentication method and server addresses on Mobility Master:

1. In the Mobility Master node hierarchy, navigate to the Configuration > Services > VPN tab.

2. Expand IKEv2.

3. In EAP passthrough, select the EAP Extensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.  passthrough for IKEv2 Internet Key Exchange version 2. IKEv2 uses the secure channel established in Phase 1 to negotiate Security Associations on behalf of services such as IPsec. IKEv2 uses pre-shared key and Digital Signature for authentication. See RFC 4306. clients. The currently supported methods include:

EAP-TLS EAP–Transport Layer Security. EAP-TLS is a certificate-based authentication method supporting mutual authentication, integrity-protected ciphersuite negotiation and key exchange between two endpoints. See RFC 5216.

EAP-PEAP EAP–Protected EAP. A widely used protocol for securely transporting authentication data across a network (tunneled).

EAP-MSCHAPv2 EAP Microsoft Challenge Handshake Authentication Protocol Version 2.

EAP-GTC EAP – Generic Token Card. (non-tunneled).

4. Click Submit.

5. Click Pending Changes.

6. In the Pending Changes window, select the check box and click Deploy changes.

7. Expand General VPN.

8. Configure the IP addresses of the Primary DNS server, Secondary DNS server, Primary WINS server, and Secondary WINS server that are pushed to the VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. client.

9. Click Submit.

10. Click Pending Changes.

11. In the Pending Changes window, select the check box and click Deploy changes.

Defining Address Pools

The following procedure describes how to define the pool from which the clients are assigned addresses:

1. In the Mobility Master node hierarchy, navigate to the Configuration > Services > VPN tab.

2. Expand General VPN.

3. In the Address Pools table, click + to open the Add New Address Pool section.

4. Specify the Pool Name, Start address IPv4 or v6, and End address IPv4 or v6.

5. Click Submit.

6. Click Pending Changes.

7. In the Pending Changes window, select the check box and click Deploy changes.

Enabling Source NAT

The following procedure describes how to enable source NAT Source NAT changes the source address of the packets passing through the router. Source NAT is typically used when an internal (private) host initiates a session to an external (public) host. on Mobility Master:

1. In the Mobility Master node hierarchy, navigate to the Configuration > Services > VPN tab.

2. Expand General VPN.

3. Select the Source-NAT check box if the IP addresses of clients must be translated to access the network.

4. (Optional) If you enable source NAT Source NAT changes the source address of the packets passing through the router. Source NAT is typically used when an internal (private) host initiates a session to an external (public) host., select an existing NAT Network Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. pool from the NAT pool drop-down list.

Selecting Certificates

If you are configuring a VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. to support machine authentication using certificates, define the IKE Internet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. Server certificates for VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. clients using IKEv2 Internet Key Exchange version 2. IKEv2 uses the secure channel established in Phase 1 to negotiate Security Associations on behalf of services such as IPsec. IKEv2 uses pre-shared key and Digital Signature for authentication. See RFC 4306. . Note that these certificate must be imported into Mobility Master, as described in Management Access.The following procedure describes how to select certificates:

1. In the Mobility Master node hierarchy, navigate to the Configuration > Services > VPN tab.

2. Expand General VPN.

3. From the Server-certificate for VPN clients drop-down list, select the server certificate for client machines.

4. Click Submit.

5. Click Pending Changes.

6. In the Pending Changes window, select the check box and click Deploy changes.

7. If you are configuring a VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. to support clients using certificates, you must also assign one or more trusted CA Certificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. certificates to VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. clients.

a. Expand Certificates for VPN Clients.

b. In the CA Certificate Assigned for VPN-Clients table, click + to open the Add New Certificate section.

c. Select a CA certificate from the drop-down list.

d. Click Submit.

e. In the Certificate Groups for VPN-Clients table, click + to open the Add New Certificate section.

f. Select a Server certificate and CA certificate from the respective drop-down list.

g. Click Submit.

h. Repeat steps b through g to add more certificates.

i. Click Pending Changes.

j. In the Pending Changes window, select the check box and click Deploy changes.

Configuring IKE Policies

ArubaOS contains several predefined default IKE Internet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. policies, as described in the Default IKE Policy Settings table. If you do not want to use any of these predefined policies, you can use the procedures below to delete a factory-default policy, edit an existing policy, or create your own custom IKE Internet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. policy instead.

 

The IKE Internet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. policy selections must be reflected in the VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. client configuration. When using a third-party VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. client, set the VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. configuration on clients to match the choices made above. In case the Aruba dialer is used, these configurations must be made on the dialer prior to downloading the dialer onto the local client.

1. In the Mobility Master node hierarchy, navigate to the Configuration > Services > VPN tab.

2. Expand IKEv2.

3. In the IKEv2 Policies table, click an existing policy to edit it, or click + to create a new policy.

4. In Priority, enter a priority number for this policy. Enter 1 for the configuration to take priority over the default setting.

5. Select the Enable Policy check box to enable the policy when it is saved.

6. From the Encryption drop-down list, select one of the following encryption types:

DES Data Encryption Standard. DES is a common standard for data encryption and a form of secret key cryptography, which uses only one key for encryption and decryption.

3DES Triple Data Encryption Standard. 3DES is a symmetric-key block cipher that applies the DES cipher algorithm three times to each data block.

AES128

AES192

AES256

7. From the Hash algorithm drop-down list, select one of the following hash types:

md5

sha

sha1-96

sha2-256-128

sha2-384-192

8. ArubaOS VPNs support client authentication using pre-shared keys, RSA Rivest, Shamir, Adleman. RSA is a cryptosystem for public-key encryption, and is widely used for securing sensitive data, particularly when being sent over an insecure network such as the Internet. digital certificates A digital certificate is an electronic document that uses a digital signature to bind a public key with an identity—information such as the name of a person or an organization, address, and so forth., or ECDSA Elliptic Curve Digital Signature Algorithm. ECDSA is a cryptographic algorithm that supports the use of public or private key pairs for encrypting and decrypting information. certificates. To set the authentication type for the IKE Internet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. rule, from the Authentication drop-down list, select one of the following options:

pre-share (for IKEv1 Internet Key Exchange version 1. IKEv1 establishes a secure authenticated communication channel by using either the pre-shared key (shared secret), digital signatures, or public key encryption. IKEv1 operates in Main and Aggressive modes. See RFC 2409. clients using pre-shared keys)

rsa-sig (for clients using certificates)

ecdsa-256 (for clients using certificates)

ecdsa-384 (for clients using certificates)

9. Diffie-Hellman is a key agreement algorithm that allows two parties to agree upon a shared secret, and is used within IKE Internet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. to securely establish session keys. To set the Diffie–Hellman Group for the ISAKMP Internet Security Association and Key Management Protocol. ISAKMP is used for establishing Security Associations and cryptographic keys in an Internet environment. policy, from the Diffie-Hellman group drop-down list, select one of the following options:

Group 1: 768-bit Diffie–Hellman prime modulus group

Group 2: 1024-bit Diffie–Hellman prime modulus group

Group 14: 2048-bit Diffie–Hellman prime modulus group

Group 19: 256-bit random Diffie–Hellman ECP modulus group

Group 20: 384-bit random Diffie–Hellman ECP modulus group

 

Configuring Diffie–Hellman Group 1 and Group 2 types are not permitted if FIPS Federal Information Processing Standards. FIPS refers to a set of standards that describe document processing, encryption algorithms, and other information technology standards for use within non-military government agencies, and by government contractors and vendors who work with these agencies. mode is enabled.

10. Set the PRF value. This algorithm is an HMAC function used to hash certain values during the key exchange:

PRF-HMAC-MD5 Message Digest 5. The MD5 algorithm is a widely used hash function producing a 128-bit hash value from the data input.

PRF-HMAC-SHA1

PRF-HMAC-SHA256

PRF-HMAC-SHA384

11. In Lifetime, enter a value in the range of 300-86400 seconds to define the lifetime of the security association. The default value is 28800 seconds.

12. Click Submit.

13. Click Pending Changes.

14. In the Pending Changes window, select the check box and click Deploy changes.

Setting the IPsec Dynamic Map

Dynamic maps enable IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. SA Security Association. SA is the establishment of shared security attributes between two network entities to support secure communication. negotiations from dynamically addressed IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. peers. ArubaOS has predefined IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. dynamic maps for IKEv2 Internet Key Exchange version 2. IKEv2 uses the secure channel established in Phase 1 to negotiate Security Associations on behalf of services such as IPsec. IKEv2 uses pre-shared key and Digital Signature for authentication. See RFC 4306. . If you do not want to use these predefined maps, you can use the procedures below to delete a factory-default map, edit an existing map, or create your own custom IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. dynamic map instead.

1. In the Mobility Master node hierarchy, navigate to the Configuration > Services > VPN tab.

2. Click IKEv2 to expand that section.

3. In IKEv1 IPSec Dynamic Maps, click an existing dynamic map to edit it or click + to create a new map.

4. In Priority, enter a priority number for this map. Negotiation requests for security associations try to match the highest-priority map first. If that map does not match, the negotiation request continues down the list to the next-highest priority map until a match is made.

5. In Name, enter a name for the dynamic map.

6. Select the Dynamic map check box.

7. (Optional) Configure Perfect Forward Secrecy (PFS Perfect Forward Secrecy. PFS refers to the condition in which a current session key or long-term private key does not compromise the past or subsequent keys.) settings for the dynamic peer by assigning a Diffie-Hellman prime modulus group. PFS Perfect Forward Secrecy. PFS refers to the condition in which a current session key or long-term private key does not compromise the past or subsequent keys. group provides an additional level of security by ensuring that the IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. SA Security Association. SA is the establishment of shared security attributes between two network entities to support secure communication. key was not derived from any other key, and therefore, cannot be compromised if another key is broken. In the PFS group drop-down list, select one of the following groups:

Group 1: 768-bit Diffie–Hellman prime modulus group

Group 2: 1024-bit Diffie–Hellman prime modulus group

Group 14: 2048-bit Diffie–Hellman prime modulus group

Group 19: 256-bit random Diffie–Hellman ECP modulus group

Group 20: 384-bit random Diffie–Hellman ECP modulus group

8. In Transforms, select an existing transform to edit it, or click + to open the New Transform section.

 

To view current configuration settings for an IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. transform-set, access the CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. and issue the command crypto ipsec transform-set tag <transform-set-name>.

9. From the Encryption drop-down list, select one of the following encryption types:

esp-null

esp-des

esp-3des

esp-aes128

esp-aes256

10. From the Hash algorithm drop-down list, select one of the following hash types:

esp-md5-hmac

esp-sha-hmac

esp-null-hmac

11. Click Submit.

12. In Lifetime(seconds), enter a value in the range of 300-86400 seconds to define the lifetime of the security association for the dynamic peer. The default value is 7200 seconds.

13. In Lifetime(kilobytes), enter a value in kilobytes to define the lifetime of the security association for the dynamic peer.

14. Click Submit.

15. Click Pending Changes.

16. In the Pending Changes window, select the check box and click Deploy changes.

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands configure remote access VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. for IKEv2 Internet Key Exchange version 2. IKEv2 uses the secure channel established in Phase 1 to negotiate Security Associations on behalf of services such as IPsec. IKEv2 uses pre-shared key and Digital Signature for authentication. See RFC 4306. clients using certificates:

To configure a remote access VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. for L2TP Layer-2 Tunneling Protocol. L2TP is a networking protocol used by the ISPs to enable VPN operations. IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. using IKEv2 Internet Key Exchange version 2. IKEv2 uses the secure channel established in Phase 1 to negotiate Security Associations on behalf of services such as IPsec. IKEv2 uses pre-shared key and Digital Signature for authentication. See RFC 4306. :

1. Define the server addresses:

(host) [mynode] (config) #vpdn group l2tp

enable

client configuration {dns|wins} <ipaddr1> [<ipaddr2>]

2. Enable authentication methods for IKEv2 Internet Key Exchange version 2. IKEv2 uses the secure channel established in Phase 1 to negotiate Security Associations on behalf of services such as IPsec. IKEv2 uses pre-shared key and Digital Signature for authentication. See RFC 4306. clients:

(host) [mynode] (config) #crypto isakmp eap-passthrough {eap-gtc|eap-mschapv2|eap-peap|eap-tls}

3. Create address pools:

(host) [mynode] (config) #ip local pool <pool> <start-ipaddr> <end-ipaddr>

4. Configure source NAT Source NAT changes the source address of the packets passing through the router. Source NAT is typically used when an internal (private) host initiates a session to an external (public) host.:

(host) [mynode] (config) #ip access-list session srcnat user any any src-nat pool <pool> position 1

5. If you are configuring a VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. to support machine authentication using certificates, define server certificates for VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. clients using IKEv2 Internet Key Exchange version 2. IKEv2 uses the secure channel established in Phase 1 to negotiate Security Associations on behalf of services such as IPsec. IKEv2 uses pre-shared key and Digital Signature for authentication. See RFC 4306. :

(host) [mynode] (config) #crypto-local isakmp server-certificate <cert>

 

The IKE Internet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. PSK Pre-shared key. A unique shared secret that was previously shared between two parties by using a secure channel. This is used with WPA security, which requires the owner of a network to provide a passphrase to users for network access. value must be between 6-64 characters. To configure a pre-shared IKE Internet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. key that contains non-alphanumeric characters, surround the key with quotation marks.
For example: crypto-local isakmp key "key with spaces" fqdn-any.

6. Define IKEv2 Internet Key Exchange version 2. IKEv2 uses the secure channel established in Phase 1 to negotiate Security Associations on behalf of services such as IPsec. IKEv2 uses pre-shared key and Digital Signature for authentication. See RFC 4306. Policies:

(host) [mynode] (config) #crypto isakmp policy <priority>

encryption {3des|aes128|aes192|aes256|des}

version v2

authentication {pre-share|rsa-sig|ecdsa-256ecdsa-384}

group {1|2|19|20}

hash {md5|sha|sha1-96|sha2-256-128|sha2-384-192}

prf PRF-HMAC-MD5|PRF-HMAC-SHA1|PRF-HMAC-SHA256|PRF-HMAC-SHA384

lifetime <seconds>

7. Define IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. Tunnel parameters:

(host) [mynode] (config) #crypto ipsec

mtu <max-mtu>

transform-set <transform-set-name> esp-3des|esp-aes128|esp-aes128-gcm|esp-aes192|esp-aes256|esp-aes256-gcm|esp-des esp-md5-hmac|esp-null-mac|esp-sha-hmac