Configuring a Basic VPN for L2TP/IPsec

The combination of Layer-2 Tunneling Protocol and Internet Protocol Security (L2TP Layer-2 Tunneling Protocol. L2TP is a networking protocol used by the ISPs to enable VPN operations. /IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session.) creates a highly-secure technology that enables VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. connections across public networks such as the Internet. L2TP Layer-2 Tunneling Protocol. L2TP is a networking protocol used by the ISPs to enable VPN operations. /IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. provides a logical transport mechanism on which to transmit PPP Point-to-Point Protocol. PPP is a data link (layer 2) protocol used to establish a direct connection between two nodes. It can provide connection authentication, transmission encryption, and compression. frames, tunneling, or encapsulation, so that the PPP Point-to-Point Protocol. PPP is a data link (layer 2) protocol used to establish a direct connection between two nodes. It can provide connection authentication, transmission encryption, and compression. frames can be sent across an IP network. L2TP Layer-2 Tunneling Protocol. L2TP is a networking protocol used by the ISPs to enable VPN operations. /IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. relies on the PPP Point-to-Point Protocol. PPP is a data link (layer 2) protocol used to establish a direct connection between two nodes. It can provide connection authentication, transmission encryption, and compression. connection process to perform user authentication and protocol configuration. With L2TP Layer-2 Tunneling Protocol. L2TP is a networking protocol used by the ISPs to enable VPN operations. /IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session., the user authentication process is encrypted using the Data Encryption Standard (DES Data Encryption Standard. DES is a common standard for data encryption and a form of secret key cryptography, which uses only one key for encryption and decryption.) or Triple DES Data Encryption Standard. DES is a common standard for data encryption and a form of secret key cryptography, which uses only one key for encryption and decryption. (3DES Triple Data Encryption Standard. 3DES is a symmetric-key block cipher that applies the DES cipher algorithm three times to each data block.) algorithm.

L2TP Layer-2 Tunneling Protocol. L2TP is a networking protocol used by the ISPs to enable VPN operations. /IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. using IKEv1 Internet Key Exchange version 1. IKEv1 establishes a secure authenticated communication channel by using either the pre-shared key (shared secret), digital signatures, or public key encryption. IKEv1 operates in Main and Aggressive modes. See RFC 2409. requires two levels of authentication:

Computer-level authentication with a pre-shared key to create the IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. SAs to protect the L2TP Layer-2 Tunneling Protocol. L2TP is a networking protocol used by the ISPs to enable VPN operations. -encapsulated data.

User-level authentication through a PPP Point-to-Point Protocol. PPP is a data link (layer 2) protocol used to establish a direct connection between two nodes. It can provide connection authentication, transmission encryption, and compression.-based authentication protocol using passwords, SecureID, digital certificates A digital certificate is an electronic document that uses a digital signature to bind a public key with an identity—information such as the name of a person or an organization, address, and so forth., or smart cards after successful creation of the SAs.

 

Note that only Windows 7 (and later versions), StrongSwan 4.3, and VIA Virtual Intranet Access. VIA provides secure remote network connectivity for Android, Apple iOS, Mac OS X, and Windows mobile devices and laptops. It automatically scans and selects the best secure connection to the corporate network. clients support IKEv2 Internet Key Exchange version 2. IKEv2 uses the secure channel established in Phase 1 to negotiate Security Associations on behalf of services such as IPsec. IKEv2 uses pre-shared key and Digital Signature for authentication. See RFC 4306. . For additional information on the authentication types supported by these clients, see Working with IKEv2 Clients .

The following procedure describes how to configure a remote access VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. for L2TP Layer-2 Tunneling Protocol. L2TP is a networking protocol used by the ISPs to enable VPN operations. IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. for clients using pre-shared keys, certificates, or EAP Extensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.  for authentication.

Defining Authentication Method and Server Addresses

Defining Address Pools

Enabling Source NAT

Selecting Certificates

Defining IKEv1 Shared Keys

Configuring IKE Policies

Setting the IPsec Dynamic Map

Defining Authentication Method and Server Addresses

The following procedure describes how to define the authentication method and server addresses on Mobility Master:

1. Define the authentication method and server addresses.

2. In the Mobility Master node hierarchy, navigate to the Configuration > Services > VPN tab.

3. Expand IKEv1.

4. To enable L2TP Layer-2 Tunneling Protocol. L2TP is a networking protocol used by the ISPs to enable VPN operations. , select the L2TP check box.

5. Select an authentication method for IKEv1 Internet Key Exchange version 1. IKEv1 establishes a secure authenticated communication channel by using either the pre-shared key (shared secret), digital signatures, or public key encryption. IKEv1 operates in Main and Aggressive modes. See RFC 2409. clients. Currently, supported methods include:

Password Authentication Protocol (PAP Password Authentication Protocol. PAP validates users by password. PAP does not encrypt passwords for transmission and is thus considered insecure.)

Extensible Authentication Protocol (EAP Extensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication. )

Challenge Handshake Authentication Protocol (CHAP Challenge Handshake Authentication Protocol. CHAP is an authentication scheme used by PPP servers to validate the identity of remote clients.)

Microsoft Challenge Handshake Authentication Protocol (MSCHAP)

Microsoft Challenge Handshake Authentication Protocol version 2 (MSCHAPv2)

6. Click Submit.

7. Click Pending Changes.

8. In the Pending Changes window, select the check box and click Deploy changes.

9. Expand General VPN. Configure the IP addresses of the Primary DNS server, Secondary DNS server, Primary WINS server, and Secondary WINS Server that are pushed to the VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. client.

10. Click Submit.

11. Click Pending Changes.

12. In the Pending Changes window, select the check box and click Deploy changes.

Defining Address Pools

The following procedure describes how to define the pool from which the clients are assigned addresses:

1. In the Mobility Master node hierarchy, navigate to the Configuration > Services > VPN tab.

2. Expand General VPN.

3. In the Address Pools table, click + to open the Add New Address Pool section.

4. Specify the Pool name, Start address IPv4 or v6, and End address IPv4 or v6.

5. Click Submit.

6. Click Pending Changes.

7. In the Pending Changes window, select the check box and click Deploy changes.

RADIUS Framed-IP-Address for VPN Clients

IP addresses are usually assigned to VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. clients from configured local address pools. However, the Framed-IP-Address attribute that is returned from a RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server can be used to assign the address.

VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. clients use different mechanisms to establish VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. connections with Mobility Master, such as IKEv1 Internet Key Exchange version 1. IKEv1 establishes a secure authenticated communication channel by using either the pre-shared key (shared secret), digital signatures, or public key encryption. IKEv1 operates in Main and Aggressive modes. See RFC 2409., IKEv2 Internet Key Exchange version 2. IKEv2 uses the secure channel established in Phase 1 to negotiate Security Associations on behalf of services such as IPsec. IKEv2 uses pre-shared key and Digital Signature for authentication. See RFC 4306. , EAP Extensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication. , or a user certificate. Regardless of how the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server is contacted for authentication, the Framed-IP-Address attribute is assigned the IP address as long as the RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server returns the attribute. The Framed-IP-Address value always has a higher priority than the local address pool.

Enabling Source NAT

The following procedure describes how to enable source NAT Source NAT changes the source address of the packets passing through the router. Source NAT is typically used when an internal (private) host initiates a session to an external (public) host. on Mobility Master:

1. In the Mobility Master node hierarchy, navigate to the Configuration > Services > VPN tab.

2. Expand General VPN.

3. Select the Source-NAT check box if the IP addresses of clients must be translated to access the network.

4. (Optional) If you enable source NAT Source NAT changes the source address of the packets passing through the router. Source NAT is typically used when an internal (private) host initiates a session to an external (public) host., select an existing NAT Network Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. pool from the NAT pool drop-down list.

Selecting Certificates

If you are configuring a VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. to support machine authentication using certificates, define the IKE Internet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. Server certificates for VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. clients using IKE Internet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard.. Note that these certificates must be imported into Mobility Master, as described in Management Access. The following procedure describes how to select certificates:

1. In the Mobility Master node hierarchy, navigate to the Configuration > Services > VPN tab.

2. Expand General VPN.

3. From the Server-certificate for VPN clients drop-down list, select the server certificate for client machines.

4. Click Submit.

5. Click Pending Changes.

6. In the Pending Changes window, select the check box and click Deploy changes.

7. If you are configuring a VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. to support clients using certificates, you must also assign one or more trusted CA Certificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. certificates to VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. clients.

a. Expand Certificates for VPN Clients.

b. In the CA Certificate Assigned for VPN-Clients table, click + to open the Add New Certificate section.

c. Select a CA certificate from the drop-down list.

d. Click Submit.

e. In the Certificate Groups for VPN-Clients table, click + to open the Add New Certificate section.

f. Select a Server certificate and CA certificate from the respective drop-down list.

g. Click Submit.

h. Repeat steps b through g to add more certificates.

i. Click Pending Changes.

j. In the Pending Changes window, select the check box and click Deploy Changes.

Defining IKEv1 Shared Keys

If you are configuring a VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. to support IKEv1 Internet Key Exchange version 1. IKEv1 establishes a secure authenticated communication channel by using either the pre-shared key (shared secret), digital signatures, or public key encryption. IKEv1 operates in Main and Aggressive modes. See RFC 2409. and clients using pre-shared keys, you can configure a global IKE Internet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. key or IKE Internet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. key for each subnet Subnet is the logical division of an IP network.. Make sure that this key matches the key on the client. The following procedure describes how to define IKEv1 Internet Key Exchange version 1. IKEv1 establishes a secure authenticated communication channel by using either the pre-shared key (shared secret), digital signatures, or public key encryption. IKEv1 operates in Main and Aggressive modes. See RFC 2409. shared keys:

1. In the Mobility Master node hierarchy, navigate to the Configuration > Services > VPN tab.

2. Expand Shared Secrets.

3. In the IKE Shared Secrets table, click + to open the Create IKE Group section.

4. Enter the Subnet and Subnet mask. To make the IKE Internet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. key global, enter 0.0.0.0 for both values.

5. Select the Representation type from the drop-down list.

6. Enter Shared key and repeat it in the Retype shared key field.

7. Click Submit.

8. Click Pending Changes.

9. In the Pending Changes window, select the check box and click Deploy changes.

Configuring IKE Policies

ArubaOS contains several predefined default IKE Internet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. policies, as described in the Default IKE Policy Settings table. If you do not want to use any of these predefined policies, you can use the procedure below to delete a factory-default policy, edit an existing policy, or create your own custom IKE Internet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. policy instead.

 

The IKE Internet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. policy selections, along with any preshared key, must be reflected in the VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. client configuration. When using a third-party VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. client, set the VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. configuration on clients to match the choices made above. In case the Aruba dialer is used, these configurations must be made on the dialer prior to downloading the dialer onto the local client.

1. In the Mobility Master node hierarchy, navigate to the Configuration > Services > VPN tab.

2. Expand IKEv1.

3. In the IKEv1 Policies table, click an existing policy to edit it, or click + to create a new policy.

4. In Priority, enter a priority number for this policy. Enter 1 for the configuration to take priority over the default setting.

5. Select the Enable Policy check box to enable the policy when it is saved.

6. From the Encryption drop-down list, select one of the following encryption types:

DES Data Encryption Standard. DES is a common standard for data encryption and a form of secret key cryptography, which uses only one key for encryption and decryption.

3DES Triple Data Encryption Standard. 3DES is a symmetric-key block cipher that applies the DES cipher algorithm three times to each data block.

AES128

AES192

AES256

7. From the Hash algorithm drop-down list, select one of the following hash types:

md5

sha

sha1-96

sha2-256-128

sha2-384-192

8. ArubaOS VPNs support client authentication using pre-shared keys, RSA Rivest, Shamir, Adleman. RSA is a cryptosystem for public-key encryption, and is widely used for securing sensitive data, particularly when being sent over an insecure network such as the Internet. digital certificates A digital certificate is an electronic document that uses a digital signature to bind a public key with an identity—information such as the name of a person or an organization, address, and so forth., or Elliptic Curve Digital Signature Algorithm (ECDSA Elliptic Curve Digital Signature Algorithm. ECDSA is a cryptographic algorithm that supports the use of public or private key pairs for encrypting and decrypting information.) certificates. To set the authentication type for the IKE Internet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. rule, from the Authentication drop-down list, select one of the following options:

pre-share (for IKEv1 Internet Key Exchange version 1. IKEv1 establishes a secure authenticated communication channel by using either the pre-shared key (shared secret), digital signatures, or public key encryption. IKEv1 operates in Main and Aggressive modes. See RFC 2409. clients using pre-shared keys)

rsa-cig (for clients using certificates)

ecdsa-256 (for clients using certificates)

ecdsa-384 (for clients using certificates)

9. Diffie-Hellman is a key agreement algorithm that allows two parties to agree upon a shared secret, and is used within IKE Internet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. to securely establish session keys. To set the Diffie–Hellman Group for the ISAKMP Internet Security Association and Key Management Protocol. ISAKMP is used for establishing Security Associations and cryptographic keys in an Internet environment. policy, from the Diffie-Hellman group drop-down list, select one of the following options:

Group 1: 768-bit Diffie–Hellman prime modulus group

Group 2: 1024-bit Diffie–Hellman prime modulus group

Group 14: 2048-bit Diffie–Hellman prime modulus group

Group 19: 256-bit random Diffie–Hellman ECP modulus group

Group 20: 384-bit random Diffie–Hellman ECP modulus group

 

Configuring Diffie–Hellman Group 1 and Group 2 types are not permitted if FIPS Federal Information Processing Standards. FIPS refers to a set of standards that describe document processing, encryption algorithms, and other information technology standards for use within non-military government agencies, and by government contractors and vendors who work with these agencies. mode is enabled.

10. In Lifetime, enter a value in the range of 300-86400 seconds to define the lifetime of the security association. The default value is 7200 seconds.

11. Click Submit.

12. Click Pending Changes.

13. In the Pending Changes window, select the check box and click Deploy changes.

Setting the IPsec Dynamic Map

Dynamic maps enable IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. SA Security Association. SA is the establishment of shared security attributes between two network entities to support secure communication. negotiations from dynamically addressed IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. peers. ArubaOS has a predefined IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. dynamic map for IKEv1 Internet Key Exchange version 1. IKEv1 establishes a secure authenticated communication channel by using either the pre-shared key (shared secret), digital signatures, or public key encryption. IKEv1 operates in Main and Aggressive modes. See RFC 2409.. If you do not want to use this predefined map, you can use the procedure below to edit an existing map or create your own custom IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. dynamic map instead.

1. In the Mobility Master node hierarchy, navigate to the Configuration > Services > VPN tab.

2. Expand IKEv1.

3. In IKEv1 IPsec Dynamic Maps, click an existing dynamic map to edit it or click + to create a new map.

4. In Priority, enter a priority number for this map. Negotiation requests for security associations try to match the highest-priority map first. If that map does not match, the negotiation request continues down the list to the next-highest priority map until a match is made.

5. In Name, enter a name for the dynamic map.

6. Select the Dynamic map check box.

7. (Optional) Configure PFS Perfect Forward Secrecy. PFS refers to the condition in which a current session key or long-term private key does not compromise the past or subsequent keys. settings for the dynamic peer by assigning a Diffie-Hellman prime modulus group. PFS Perfect Forward Secrecy. PFS refers to the condition in which a current session key or long-term private key does not compromise the past or subsequent keys. group provides an additional level of security by ensuring that the IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. SA Security Association. SA is the establishment of shared security attributes between two network entities to support secure communication. key was not derived from any other key, and therefore, cannot be compromised if another key is broken. In the PFS group drop-down list, select one of the following groups:

Group 1: 768-bit Diffie–Hellman prime modulus group

Group 2: 1024-bit Diffie–Hellman prime modulus group

Group 14: 2048-bit Diffie–Hellman prime modulus group

Group 19: 256-bit random Diffie–Hellman ECP modulus group

Group 20: 384-bit random Diffie–Hellman ECP modulus group

8. In Transforms, select an existing transform to edit it, or click + to open the New Transform window.

 

To view current configuration settings for an IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. transform-set, access the CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. and issue the command crypto ipsec transform-set tag <transform-set-name>.

9. Enter a name for the transform in the Name field.

10. From the Encryption drop-down list, select one of the following encryption types:

esp-null

esp-des

esp-aes128

esp-aes192

esp-aes256

11. From the Hash algorithm drop-down list, select one of the following hash types:

esp-md5-hmac

esp-sha-hmac

esp-null-hmac

12. Click Submit.

13. In Lifetime(seconds), enter a value in the range of 300-86400 seconds to define the lifetime of the security association for the dynamic peer. The default value is 7200 seconds.

14. In Lifetime(kilobytes), enter a value in kilobytes to define the lifetime of the security association for the dynamic peer.

15. Click Submit.

16. Click Pending Changes.

17. In the Pending Changes window, select the check box and click Deploy changes.

The following CLI Command-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions. commands configure a remote access VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. for L2TP Layer-2 Tunneling Protocol. L2TP is a networking protocol used by the ISPs to enable VPN operations. IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session.:

1. Define the authentication method and server addresses:

(host) [mynode] (config) #vpdn group l2tp

enable

client configuration {dns|wins} <ipaddr1> [<ipaddr2>]

2. Enable authentication methods for IKEv1 Internet Key Exchange version 1. IKEv1 establishes a secure authenticated communication channel by using either the pre-shared key (shared secret), digital signatures, or public key encryption. IKEv1 operates in Main and Aggressive modes. See RFC 2409. clients:

(host) [mynode] (config) vpdn group l2tp ppp authentication {cache-securid|chap|eap|mschap|mschapv2|pap

3. Create address pools:

(host) [mynode] (config) #ip local pool <pool> <start-ipaddr> <end-ipaddr>

4. Configure source NAT Source NAT changes the source address of the packets passing through the router. Source NAT is typically used when an internal (private) host initiates a session to an external (public) host.:

(host) [mynode] (config) #ip access-list session srcnatuser any any src-nat pool <pool> position 1

5. If you are configuring a VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. to support machine authentication using certificates, define server certificates for VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. clients using IKEv1 Internet Key Exchange version 1. IKEv1 establishes a secure authenticated communication channel by using either the pre-shared key (shared secret), digital signatures, or public key encryption. IKEv1 operates in Main and Aggressive modes. See RFC 2409.:

(host) [mynode] (config) #crypto-local isakmp server-certificate <cert>

6. If you are configuring a VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. to support IKEv1 Internet Key Exchange version 1. IKEv1 establishes a secure authenticated communication channel by using either the pre-shared key (shared secret), digital signatures, or public key encryption. IKEv1 operates in Main and Aggressive modes. See RFC 2409. Clients using pre-shared keys, you can configure a global IKE Internet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. key by entering 0.0.0.0 for both the address and netmask Netmask is a 32-bit mask used for segregating IP address into subnets. Netmask defines the class and range of IP addresses. parameters in the command below, or configure an IKE Internet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. key for an individual subnet Subnet is the logical division of an IP network. by specifying the IP address and netmask Netmask is a 32-bit mask used for segregating IP address into subnets. Netmask defines the class and range of IP addresses. for that subnet Subnet is the logical division of an IP network.:

(host) [mynode] (config) #crypto isakmp key <key> address <ipaddr|> netmask <mask>

7. Define IKE Internet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. Policies:

(host) [mynode] (config) #crypto isakmp policy <priority>

encryption {3des|aes128|aes192|aes256|des}

version v1|v2

authentication {pre-share|rsa-sig|ecdsa-256ecdsa-384}

group {1|2|19|20}

hash {md5|sha|sha1-96|sha2-256-128|sha2-384-192}

lifetime <seconds>