Configuring IKEv2 Policies, Dynamic Maps, and Reauthentication Frequency

To configure the EAP Extensible Authentication Protocol. An authentication protocol for wireless networks that extends the methods used by the PPP, a protocol often used when connecting a computer to the Internet. EAP can support multiple authentication mechanisms, such as token cards, smart cards, certificates, one-time passwords, and public key encryption authentication.  passthrough, IKEv2 Internet Key Exchange version 2. IKEv2 uses the secure channel established in Phase 1 to negotiate Security Associations on behalf of services such as IPsec. IKEv2 uses pre-shared key and Digital Signature for authentication. See RFC 4306. policies, and dynamic IPsec Internet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. maps on the Branch Gateway, complete the following steps:

1. In the Aruba Central app, complete either of the following steps:

• To select a gateway group:

  1. In the Aruba Central app, set the filter to a group that contains at least one Branch Gateway.

     The dashboard context for a group is displayed.
     

  2. Under Manage, click Devices > Gateways.

     A list of gateways is displayed in the List view.

  3. Click Config.

     The configuration page is displayed for the selected group.

• To select a gateway:

  1. In the Aruba Central app, set the filter to Global or a group that contains at least one Branch Gateway.

  2. Under Manage, click Devices > Gateways.

     A list of gateways is displayed in the List view.
     

  3. Click a gateway under Device Name.

     The dashboard context for the gateway is displayed.

  4. Under Manage, click Device.

     The gateway device configuration page is displayed.

2. If you are in the Basic Mode, click Advanced Mode to access the advanced configuration options.
3. Click VPN > IKEv2.
4. In the IKEv2 Policies table, click an existing policy to edit it, or click + to open the Add IKEv2 Policy section. Configure the required parameters as described in Table 1.

   Table 1: IKEv2 Policy Parameters

   Parameter	Description
   Priority	Specify the priority number for this policy. Set the value to 1 for the configuration to take priority over the default setting.
   Enable policy	Select the check box to enable the IKEv1 Internet Key Exchange version 1. IKEv1 establishes a secure authenticated communication channel by using either the pre-shared key (shared secret), digital signatures, or public key encryption. IKEv1 operates in Main and Aggressive modes. See RFC 2409. policy when it is saved.
   Encryption	Select one of the following encryption types: DES Data Encryption Standard. DES is a common standard for data encryption and a form of secret key cryptography, which uses only one key for encryption and decryption. 3DES Triple Data Encryption Standard. 3DES is a symmetric-key block cipher that applies the DES cipher algorithm three times to each data block. AES128 AES192 AES256
   Hash algorithm	Select one of the following hash types: MD5 Message Digest 5. The MD5 algorithm is a widely used hash function producing a 128-bit hash value from the data input. SHA Secure Hash Algorithm. SHA is a family of cryptographic hash functions. The SHA algorithm includes the SHA, SHA-1, SHA-2 and SHA-3 variants. SHA1-96 SHA2-256-128 SHA2-384-192
   Authentication	Select one of the following authentication types for the IKE Internet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. rule: Pre-Share (for IKEv1 clients using pre-shared keys) RSA Rivest, Shamir, Adleman. RSA is a cryptosystem for public-key encryption, and is widely used for securing sensitive data, particularly when being sent over an insecure network such as the Internet. (for clients using certificates) ECDSA Elliptic Curve Digital Signature Algorithm. ECDSA is a cryptographic algorithm that supports the use of public or private key pairs for encrypting and decrypting information.-256 (for clients using certificates) ECDSA-384 (for clients using certificates)
   Diffie-Hellman group	Diffie-Hellman is a key agreement algorithm that allows two parties to agree upon a shared secret, and is used within IKE to securely establish session keys. To set the Diffie–Hellman Group for the ISAKMP Internet Security Association and Key Management Protocol. ISAKMP is used for establishing Security Associations and cryptographic keys in an Internet environment. policy, select one of the following options: Group 1: 768-bit Diffie–Hellman prime modulus group Group 2: 1024-bit Diffie–Hellman prime modulus group Group 14: 2048-bit Diffie–Hellman prime modulus group Group 19: 256-bit random Diffie–Hellman ECP modulus group Group 20: 384-bit random Diffie–Hellman ECP modulus group
   PRF	This algorithm is an HMAC function used to hash certain values during the key exchange. Set this to one of the following values based on the value selected for Hash algorithm: PRF-HMAC-MD5 PRF-HMAC-SHA1 PRF-HMAC-SHA256 PRF-HMAC-SHA384
   Lifetime	Set the lifetime of the IKE security association in seconds. The supported range is 300-86400 seconds. The default value is 7200 seconds.

5. In IKEv2 IPSec Dynamic Maps, click an existing dynamic map to edit it or click + to open the Add IKEv2 Dynamic Map section. Configure the required parameters as described in Table 2.

   Table 2: IKEv2 Dynamic IPsec Map Parameters

   Parameter	Description
   Priority	Set the priority level for the IPsec map. Negotiation requests for security associations try to match the highest-priority map first. If that map does not match, the negotiation request continues down the list to the next highest-priority map until a match is found.
   Name	Enter a name for the dynamic map.
   Dynamic map	Select the check box to enable the dynamic map. This is enabled by default.
   PFS group	(Optional) Configure PFS Perfect Forward Secrecy. PFS refers to the condition in which a current session key or long-term private key does not compromise the past or subsequent keys. settings for the dynamic peer by assigning a Diffie-Hellman prime modulus group. PFS group provides an additional level of security by ensuring that the IPsec SA Security Association. SA is the establishment of shared security attributes between two network entities to support secure communication. key was not derived from any other key, and therefore, cannot be compromised if another key is broken. Select one of the following groups: Group 1: 768-bit Diffie–Hellman prime modulus group Group 2: 1024-bit Diffie–Hellman prime modulus group Group 14: 2048-bit Diffie–Hellman prime modulus group Group 19: 256-bit random Diffie–Hellman ECP modulus group Group 20: 384-bit random Diffie–Hellman ECP modulus group
   Transforms	Click + to open the New Transform section. 1. To add an existing transform, select Add existing transform 2. Select a transform from the list and save the changes. 3. To add a new transform, select Add new transform. 4. From the Encryption drop-down list, select one of the following encryption types: DES 3DES AES128 AES192 AES256 5. From the Hash algorithm drop-down list, select one of the following hash types: MD5 SHA SHA1-96 SHA2-256-128 SHA2-384-192 6. Click Save Settings.
   Lifetime(seconds)	Set the lifetime of the security association for the dynamic peer in seconds. The supported range is 300-86400 seconds. The default value is 7200 seconds.
   Lifetime(kilobytes)	Set the lifetime of the security association for the dynamic peer in kilobytes.

6. In EAP passthrough, select the EAP passthrough for IKEv2 clients. The currently supported methods include:
   • EAP-TLS EAP–Transport Layer Security. EAP-TLS is a certificate-based authentication method supporting mutual authentication, integrity-protected ciphersuite negotiation and key exchange between two endpoints. See RFC 5216.
   • EAP-PEAP EAP–Protected EAP. A widely used protocol for securely transporting authentication data across a network (tunneled).
   • EAP-MSCHAPv2 EAP Microsoft Challenge Handshake Authentication Protocol Version 2.

7. In the Reauthentication frequency field, enter the frequency value that indicates the number of IKE rekey operations at which the initiator of the session repeats authentication. You can enable reauthentication by configuring a frequency value between 1 and 100.

   For example, if the configured reauthentication frequency is 1, the rekey operation is skipped and reauthentication occurs for each IKE rekey operation. If the reauthentication frequency is set to 3, the initiator triggers IKE rekey on the first and second rekey intervals, and reauthentication on the third rekey interval, and so on.

   In AOS 10.5, the reauthentication feature is supported only with site-to-site deployments.

8. Click Save Settings.

This animation will help you to add ports to configure the EAP passthrough, IKEv2 policies, and dynamic IPsec maps on the Branch Gateway.