Link Search Menu Expand Document

Tunnels Tab

Configuration > Networking > Tunnels > Tunnels

EdgeConnect tunnels are the foundation of your SD-WAN fabric. This tab displays details about tunnels in your network. It includes the following three subtabs:

  • Overlay – Displays SD-WAN bonded tunnels. Specifically, overlay tunnels consist of bonded underlay tunnels.

  • Underlay – Displays IPSec tunnels that map to discrete transports.

  • Passthrough – Displays third-party (IPSec) tunnels for service chaining to cloud security services, such as Zscaler and Symantec, and tunnels for local breakouts to trusted SaaS applications, such as Office 365.

If you have deployed an SD-WAN network, Business Intent Overlays (BIOs) govern tunnel creation and properties.

Filter by Tunnel Status

To filter the rows displayed in the Tunnels table by tunnel status, select Up or Down from the Status drop-down list. Select All to display for all statuses, which is the default setting.

Subtab Field Descriptions

The following tables describe the fields displayed on the Overlay, Underlay, and Passthrough subtabs. Field descriptions are not repeated if they appear on more than one subtab and have the same description.

Overlay Subtab

Field Description
Appliance Name of the appliance.
Overlay Tunnel Designated overlay tunnel.
Overlay Designated overlay to which the overlay tunnel is applied.
Admin Status Indicates whether the tunnel has been set to admin up or down.
Status Indications are as follows:

Down – Tunnel is down. This can be because the tunnel administrative setting is down or the tunnel cannot communicate with the appliance at the other end. Possible causes are:

Lack of end-to-end connectivity / routability (test with iperf).

Intermediate firewall is dropping the packets (open the firewall).

Intermediate QoS policy (be packets are being starved; change control packet DSCP marking).

Mismatched tunnel mode (udp / gre / ipsec / ipsec_udp).

IPSec is misconfigured: (1) enabled on one side (see show int tunnel configured), or mismatched pre-shared key.

Down - In progress – Tunnel is down. Meanwhile, the appliance is exchanging control information with the appliance at the other end, trying to bring up the tunnel.

Down - Misconfigured – Two appliances are configured with the same System ID (see show system).

Up - Active – Tunnel is up and active. Traffic destined for this tunnel will be forwarded to the remote appliance.

Up - Active - Idle – Tunnel is up and active, but it has not had recent activity in the past five minutes, and it has slowed the rate of issuing keep-alive packets.

Up - Reduced Functionality – Tunnel is up and active, but the two endpoint appliances are running mismatched software releases that give no performance benefit.

UNKNOWN – Tunnel status is unknown. This can be because the appliance is unable to retrieve the current tunnel status. Try again later.
MTU Maximum Transmission Unit. The largest possible unit of data that can be sent on a given physical medium. MTUs up to 9000 bytes are supported. Auto allows the tunnel MTU to be discovered automatically. It overrides the MTU setting.
Uptime Length of time the tunnel has been up.
Underlay Tunnels Designated underlay tunnels.
Live View Click the chart icon to display a live view of the status of your selected tunnel. You can view by bandwidth, loss, jitter, latency, MOS, chart, traceroute, inbound or outbound, and lock the scale.
Historical Charts Click the chart icon to display historical charts for the selected overlay and underlay tunnels.

Underlay Subtab

Field Description
Segment Name of the segment. This field displays only if Routing Segmentation is enabled.
Underlay Tunnel Designated underlay tunnel.
Overlays Overlays to which the tunnels for the appliance are applied.
Admin Status Indicates whether the tunnel has been set to admin up or down. To change the admin status for the underlay tunnel, click the menu icon and select Admin Up or Admin Down.
Status Status indications are described above in field descriptions for the Overlay subtab. Click the status indicator in this field to display detailed troubleshooting information for this tunnel. Aruba Technical Assistance Center (TAC) can request that you capture and send this diagnostic information.
Local IP:Port Local IP address and port number.
Remote IP:Port Remote IP address and port number.
Discovered IP:Port Discovered IP address and port number.
Max BW (Kbps) Maximum bandwidth for the tunnel in kilobits per second (Kbps).
Mode Indicates whether the tunnel protocol is IPSec, IPSec UDP, UDP, or GRE.
Advanced Options Click the info icon to open the Tunnel Advanced Options dialog box, which displays details about the tunnel’s settings.
Traceroute Click the chart icon to display a traceroute chart for the selected appliance.
Historical Charts Click the chart icon to display historical charts for the selected underlay tunnel.

Passthrough Subtab

Field Description
Passthrough Tunnel Designated passthrough tunnel.
Charts Click the chart icon to display historical charts for the selected passthrough tunnel.
Local IP IP address of the local endpoint.
Remote IP IP address of the remote endpoint.
Mode Indicates whether the tunnel protocol is GRE, IPSec, or No Encap.
NAT Indicates whether Network Address Translation (NAT) has been applied.
Peer/Service Peer or service being used.

To add, modify, or delete tunnels for an appliance, click the edit icon in the appropriate table row on the Tunnels tab.

Troubleshooting

  1. Have you created and applied the Overlay to all the appliances on which you are expecting tunnels to be built?

    Verify this on the Apply Overlays tab.

  2. Are the appliances on which you are expecting the Overlays to be built using Release 8.0 or later?

    View the active software releases on Administration > Software > Upgrade > Software Versions.

  3. Do you have at least one WAN Label selected as a Primary port in the Overlay Policy?

    Verify this on the Business Intent Overlay tab in the WAN Links & Bonding Policy section.

  4. Are the same WAN labels selected in the Overlay assigned to the WAN interfaces on the appliances?

    Verify that at least one of the Primary Labels selected in the Business Intent Overlay is identical to a Label assigned on the appliance’s Deployment page. Tunnels are built between matching Labels on all appliances participating in the overlay.

  5. Do any two (or more) appliances have the same Site Name?

    We only assign the same Site Name if we do not want those appliances to connect directly. To view the list of Site Names, navigate to the Configuration > Networking > Tunnels > Tunnels tab, and then click Sites at the top.

Tunnels Dialog Box

This dialog box enables you to add, modify, or delete underlay and passthrough tunnels for an appliance. If you have deployed an SD-WAN network, Business Intent Overlays (BIOs) govern tunnel creation and properties. Overlay tunnels consist of bonded underlay tunnels.

The Tunnels dialog box includes the following three subtabs:

  • Overlay – Displays SD-WAN bonded tunnels. Specifically, overlay tunnels consist of bonded underlay tunnels.

  • Underlay – Displays IPSec tunnels that map to discrete transports.

  • Passthrough – Displays third-party (IPSec) tunnels for service chaining to cloud security services, such as Zscaler and Symantec, and tunnels for local breakouts to trusted SaaS applications, such as Office 365.

Use Passthrough Tunnels

Use passthrough tunnels in the following situations:

  • For internet breakout to a trusted SaaS application, like Office 365

  • For service chaining to a cloud security service, like Zscaler or Symantec

    • This requires building secure and compatible third-party IPSec tunnels from EdgeConnect devices to non-EdgeConnect devices in the data center or cloud.

    • When you create the tunnel, the Service Name in the Business Intent Overlay’s Internet Traffic Policies must exactly match the Peer/Service specified in the Passthrough tunnel configuration.

    • To load balance, create two or more passthrough IPSec tunnels and, in the Business Intent Overlay, ensure that they all specify the same Service Name in the Internet Traffic Policies.

IPSec Suite B Presets

As of version 9.2, Orchestrator provides you with four IPSec Suite B presets, as follows:

  • GCM-128

  • GCM-256

  • GMAC-128

  • GMAC-256

Each preset includes a predetermined set of IKE and ESP (IPSec) cryptographic algorithms. By selecting an IPSec Suite B preset, you can streamline the algorithm aspect of your tunnel setup rather than selecting individual algorithms. However, you can select individual algorithms if you want to. To select a preset, use the IPSec Suite B Preset drop-down field on the Add Tunnel or Modify Tunnel dialog box.

The following tables show the IPSec Suite B presets in the header row and provide the associated algorithm setups for the IKEv2 and ESP (IPSec) stages.

IKEv2 Stage

  GCM-128 GCM-256 GMAC-128 GMAC-256
Encryption (Note) AES-128-CBC AES-256-CBC AES-128-CBC AES-256-CBC
Pseudo Random Function HMAC-SHA-256 HMAC-SHA-384 HMAC-SHA-256 HMAC-SHA-384
Integrity (IKE Data Authentication) HMAC-SHA-256-128 HMAC-SHA-384-192 HMAC-SHA-256-128 HMAC-SHA-384-192
Key Exchange (NIST Elliptic Curve Groups) DH-19
256-bit Prime Size		 DH-20
384-bit Prime Size		 DH-19
256-bit Prime Size		 DH-20
384-bit Prime Size

ESP (IPSec) Stage

  GCM-128 GCM-256 GMAC-128 GMAC-256
Encryption AES-128-GCM
with 16 octet ICV		 AES-256-GCM
with 16 octet ICV		 NULL NULL
Integrity (Data Authentication) NULL NULL AES-128-GMAC AES-256-GMAC

Notice in the second table that the encryption and data authentication is done in one step for GCM. For GMAC, there is no encryption.

Add or Modify a Tunnel

To add an underlay or passthrough tunnel, perform the following steps:

NOTE: To modify a tunnel, click the edit icon next to the tunnel. The Modify Tunnel dialog box (for underlay tunnels) or the Modify Passthrough Tunnel dialog box opens. Change fields as described below, and then click Save.

  1. Select Underlay or Passthrough.

  2. Select Add Tunnel.

    The Add Tunnel dialog box (for underlay) or the Add Passthrough Tunnel dialog box opens.

  3. Complete the following fields as appropriate for either underlay or passthrough tunnels.

    Add Tunnel dialog box (for underlay)

    The Add Tunnel dialog box displays a General tab. If you set the Mode field on this tab to IPSec, the IKE and IPSec tabs are also displayed.

    General tab (for underlay)

    Access the following fields by clicking the General tab on the Add Tunnel dialog box.

    General

    Field Description
    Alias Alias name of the tunnel.
    Mode Indicates whether the tunnel protocol is UDP, GRE, IPSec, or IPSec UDP. If you select IPSec, you can specify the IKE version on the IKE tab.

    NOTE: If this field is set to IPSec UDP, it is recommended that you use the AES_256_GCM_16 algorithm, which performs both encryption and authentication, resulting in better performance.
    IPSec Suite B Preset This field is available only if the Mode field is set to IPSec. Select an IPSec Suite B preset if required by the security service (GCM-128, GCM-256, GMAC-128, or GMAC-256). The default setting is None.

    If IPSec Suite B Preset is set to None, no preset is selected, but GCM and GMAC algorithms are available to set independently.

    If an IPSec Suite B preset is selected, various settings on the IKE and IPSec tabs are configured automatically based on the selected preset.
    Admin Indicates whether the tunnel has been set to admin up or down.
    Local IP IP address of the local endpoint.
    Remote IP IP address of the remote endpoint.
    Auto discover MTU enabled When enabled, allows the appliances to auto-negotiate the maximum tunnel bandwidth. Enabled by default.
    MTU Maximum Transmission Unit (MTU) is the largest possible unit of data that can be sent on a given physical medium. For example, the MTU of Ethernet is 1500 bytes. MTUs up to 9000 bytes are supported. Auto allows the tunnel MTU to be discovered automatically, and it overrides the MTU setting. This field is not available if the Auto discover MTU enabled check box is selected.
    Auto max BW enabled When enabled, allows the appliances to auto-negotiate the maximum tunnel bandwidth. Enabled by default.
    Max BW Kbps Maximum amount of bandwidth in kilobits per second. This field is not available if the Auto max BW enabled check box is selected.
    UDP destination port Used in UDP mode. Accept the default value unless the port is blocked by a firewall.
    UDP flows Used in UDP mode. Number of flows over which to distribute tunnel data.
    Min BW Kbps Minimum amount of bandwidth in kilobits per second.

    Packet

    NOTE: FEC settings do not apply when overlays are used. FEC settings only apply when routing directly to an underlay via Route Policy.

    Field Description
    Reorder wait Maximum time (in milliseconds) the appliance holds an out-of-order packet when attempting to reorder. 100 ms is the default value and should be adequate for most situations. FEC can introduce out-of-order packets if the reorder wait time is not set high enough.
    FEC Set Forward Error Correction (FEC) to enable, disable, or auto.
    FEC ratio When FEC is set to auto, FEC will range dynamically from off to 1:10 based on detected loss. The options are 1:1, 1:2, 1:5, 1:10, and 1:20. This field is available only if FEC is set to enable.

    Tunnel Health

    Field Description
    Retry count Number of failed keep-alive messages that are allowed before the appliance brings the tunnel down.
    DSCP Determines the DSCP marking that the keep-alive messages should use.

    FastFail Thresholds

    NOTE: FastFail thresholds do not apply when overlays are used. FastFail only applies when routing directly to an underlay via Route Policy.

    Field Description
    Fastfail enabled When multiple tunnels are carrying data between two appliances, this feature determines how quickly to disqualify a tunnel from carrying data.

    The Fastfail connectivity detection algorithm for the wait time from receipt of last packet before declaring a brownout is:

    Twait = Base + N * RTTavg

    where Base is a value in milliseconds, and N is the multiplier of the average Round Trip Time over the past minute.

    For example, if:

    Base = 200mSN = 2

    Then,

    RTTavg = 50mS

    The appliance declares a tunnel to be in brownout if it does not see a reply packet from the remote end within 300 mS of receiving the most recent packet.

    In the Tunnel Advanced Options, Base is expressed as Fastfail wait-time base offset (ms), and N is expressed as Fastfail RTT multiplication factor.

    Fastfail enabled – This option is triggered when a tunnel’s keep-alive signal does not receive a reply. The options are disable, enable, and continuous. If the disqualified tunnel subsequently receives a keep-alive reply, its recovery is instantaneous.

    For disable, keep-alives are sent every second, and 30 seconds elapse before failover. In that time, all transmitted data is lost.

    For enable, keep-alives are sent every second, and a missed reply increases the rate at which keep-alives are sent from one per second to ten per second. Failover occurs after one second.

    For continuous, keep-alives are continuously sent at ten per second. Therefore, failover occurs after one tenth of a second.
    Latency Amount of latency in milliseconds. Thresholds for Latency, Loss, or Jitter are checked once every second.

    Receiving three successive measurements in a row that exceed the threshold puts the tunnel into a brownout situation and flows will attempt to fail over to another tunnel within the next 100 ms.

    Receiving three successive measurements in a row that drop below the threshold will drop the tunnel out of brownout.
    Loss Amount of data lost as a percentage.
    Jitter Amount of jitter in milliseconds.
    Fastfail wait-time base offset Fastfail basic timeout time in milliseconds.
    Fastfail RTT multiplication factor Amount of RTT (Round Trip Time) added to the basic timeout.

    IKE tab (for underlay)

    Access the following fields by clicking the IKE tab on the Add Tunnel dialog box. This tab is displayed only if the Mode field on the General tab is set to IPSec.

    IKE

    Field Description
    Pre-shared key Pre-shared key used for IKE authentication.
    Authentication Algorithm Authentication algorithm used for IKE security association (SA).

    If the IPSec Suite B Preset field on the General tab is set to None, you can select SHA1, SHA2-256, SHA2-384, or SHA2-512. The default setting is SHA1.

    If the IPSec Suite B Preset field is set to any other setting, this field is automatically set to the appropriate algorithm.

    NOTE: With IKEv2 and the Encryption algorithm field set to auto, AES-GCM will probably be negotiated, which includes encryption and authentication. In this case, this field might show a SHA setting that is not actually used.

    If the Encryption algorithm field is set to AES-GCM-128 or AES-GCM-256, this field is not applicable.
    Encryption Algorithm Encryption algorithm used for IKE security association (SA).

    If the IPSec Suite B Preset field on the General tab is set to None, and the IKE Version field is set to IKE v1, you can select AES-CBC-128, AES-CBC-256, or auto. The default setting is auto.

    If the IPSec Suite B Preset field is set to None, and the IKE Version field is set to IKE v2, you can select AES-CBC-128, AES-CBC-256, AES-GCM-128, AES-GCM-256, or auto. The default setting is auto.

    If the IPSec Suite B Preset field is set to any other setting, this field is automatically set to the appropriate algorithm.
    Pseudo Random Function This field is displayed only if the IKE Encryption Algorithm field is set to AES-GCM-128 or AES-GCM-256.

    For AES-GCM-128, you can select SHA2-256, SHA2-384, or SHA2-512.

    For AES-GCM-256, you can select SHA-384 or SHA-512.
    Diffie-Hellman Group Diffie-Hellman Group used for IKE security association (SA) negotiation.

    If the IPSec Suite B Preset field on the General tab is set to None, you can select the appropriate group. Available groups are 14 through 21, 26, and 31.

    If the IPSec Suite B Preset field is set to any other setting, this field is automatically set to the appropriate group.
    Rekey interval/lifetime Rekey interval/lifetime of IKE security association (SA) in minutes. The default is 360 minutes.
    Dead peer detection Delay time: The interval (in seconds) to check the lifetime of the IKE peer.

    Retry count: Number of times to retry the connection before determining that the connection is dead. This field is not editable.
    IKE identifier Identifier of the IKE tunnel. This field is displayed only if the IKE Version field is set to IKE v1. Select the type of identifier from the drop-down list:

    IP ADDRESS – Specify the local public IP address, not the remote endpoint address.

    FQDN – Specify the fully qualified domain name (also known as absolute domain name).

    USER_FQDN – Specify an email address that contains an email domain.
    Local IKE identifier Specify the local IKE identifier. This field is displayed only if the IKE Version field is set to IKE v2.
    Remote IKE identifier Specify the remote IKE identifier. This field is displayed only if the IKE Version field is set to IKE v2.
    Phase 1 mode Exchange mode for the IKE security association (SA) negotiation.

    If the IKE Version field is set to IKE v1, you can select Main or Aggressive.

    If the IKE Version field is set to IKE v2, this field is automatically set to Aggressive.
    IKE version If the IPSec Suite B Preset field on the General tab is set to None, you can select IKE v1 or IKE v2.

    If the IPSec Suite B Preset field is set to any other setting, this field is automatically set to IKE v2.

    IPSec tab (for underlay)

    Access the following fields by clicking the IPSec tab on the Add Tunnel dialog box. This tab is displayed only if the Mode field on the General tab is set to IPSec.

    IPSec

    Field Description
    Authentication algorithm Authentication algorithm used for the IPSec security association (SA).

    If the IPSec Suite B Preset field on the General tab is set to None, you can select SHA1, SHA2-256, SHA2-384, SHA2-512, AES-GMAC-128, or AES-GMAC-256. The default setting is SHA1.

    If the IPSec Suite B Preset field is set to GMAC-128 or GMAC-256, this field is automatically set to the appropriate algorithm.

    If the IPSec Suite B Preset field is set to GCM-128 or GCM-256, this field is not applicable.
    Encryption algorithm Encryption algorithm used for the IPSec security association (SA).

    If the IPSec Suite B Preset field on the General tab is set to None, and the IPSec Authentication algorithm field is set to SHA1, SHA2-256, SHA2-384, or SHA2-512, you can select AES-CBC-128, AEC-CBC-256, AES-GCM-128, AES-GCM-256, NULL, or Auto. The default setting is auto.

    If the IPSec Suite B Preset field is set to None, and the IPSec Authentication algorithm field is set to AES-GMAC-128 or AES-GMAC-256, this field is automatically set to NULL.
    IPSec anti-replay window Select a size from the drop-down list or Disable to disable the IPSec anti-replay window.

    If a size is selected, protection is provided against an attacker duplicating encrypted packets by assigning a unique sequence number to each encrypted packet.
    Rekey interval/lifetime Rekey interval/lifetime of the IPSec security association (SA) in minutes. The default is 360 minutes.
    Perfect forward secrecy group Diffie-Hellman group used for IPSec security association (SA) negotiation. Based on the setting of the IPSec Suite B Preset field on the the General tab, this field is set to the following Diffie-Hellman group:

    For None: 14 (by default)

    For GCM-128 or GMAC-128: 19

    For GCM-256 or GMAC-256: 20

    Add Passthrough Tunnel dialog box

    The Add Passthrough Tunnel dialog box displays a General tab. If you set the Mode field on this tab to IPSec, the IKE and IPSec tabs are also displayed.

    General tab (for passthrough)

    Access the following fields by clicking the General tab on the Add Passthrough Tunnel dialog box.

    Field Description
    Alias Alias name of the tunnel.
    Mode Indicates whether the tunnel protocol is GRE, No Encap, IPSec, or IPSec UDP.

    NOTE: If this field is set to IPSec UDP, it is recommended that you use the AES_256_GCM_16 algorithm, which performs both encryption and authentication.
    IPSec Suite B Preset This field is available only if the Mode field is set to IPSec. Select an IPSec Suite B preset if required by the security service (GCM-128, GCM-256, GMAC-128, or GMAC-256). The default setting is None.

    If IPSec Suite B Preset is set to None, no preset is selected, but GCM and GMAC algorithms are available to set independently.

    If an IPSec Suite B preset is selected, various settings on the IKE and IPSec tabs are configured automatically based on the selected preset.
    Admin Indicates whether the tunnel has been set to admin up or down.
    Local IP IP address of the local endpoint.
    Remote IP IP address of the remote endpoint.
    NAT Whether Network Address Translation (NAT) has been applied.
    Peer/Service Enter the peer or service being used.
    Auto max BW enabled When enabled, allows the appliances to auto-negotiate the maximum tunnel bandwidth.
    Max BW Kbps Maximum amount of bandwidth in kilobits per second. This field is not available if the Auto max BW enabled check box is selected.

    IKE Tab (for passthrough)

    Access the following fields by clicking the IKE tab on the Add Passthrough Tunnel dialog box. This tab is displayed only if the Mode field on the General tab is set to IPSec.

    IKE

    Field Description
    Pre-shared key Pre-shared key used for IKE authentication.
    Authentication Algorithm Authentication algorithm used for IKE security association (SA).

    If the IPSec Suite B Preset field on the General tab is set to None, you can select SHA1, SHA2-256, SHA2-384, or SHA2-512. The default setting is SHA1.

    If the IPSec Suite B Preset field is set to any other setting, this field is automatically set to the appropriate algorithm.

    NOTE: With IKEv2 and the Encryption algorithm field set to auto, AES-GCM will probably be negotiated, which includes encryption and authentication. In this case, this field might show a SHA setting that is not actually used.

    If the Encryption algorithm field is set to AES-GCM-128 or AES-GCM-256, this field is not applicable.
    Encryption Algorithm Encryption algorithm used for IKE security association (SA).

    If the IPSec Suite B Preset field on the General tab is set to None, and the IKE Version field is set to IKE v1, you can select AES-CBC-128, AES-CBC-256, or auto. The default setting is auto.

    If the IPSec Suite B Preset field is set to None, and the IKE Version field is set to IKE v2, you can select AES-CBC-128, AES-CBC-256, AES-GCM-128, AES-GCM-256, or auto. The default setting is auto.

    If the IPSec Suite B Preset field is set to any other setting, this field is automatically set to the appropriate algorithm.
    Pseudo Random Function This field is displayed only if the IKE Encryption Algorithm field is set to AES-GCM-128 or AES-GCM-256.

    For AES-GCM-128, you can select SHA2-256, SHA2-384, or SHA2-512.

    For AES-GCM-256, you can select SHA-384 or SHA-512.
    Diffie-Hellman Group Diffie-Hellman Group used for IKE security association (SA) negotiation.

    If the IPSec Suite B Preset field on the General tab is set to None, you can select the appropriate group. Available groups are 1, 2, 5, 14 through 21, 26, and 31. For increased security, 14 or higher is recommended.

    If the IPSec Suite B Preset field is set to any other setting, this field is automatically set to the appropriate group.
    Rekey interval/lifetime Rekey interval/lifetime of IKE security association (SA) in minutes. The default is 360 minutes.
    Dead peer detection Delay time: The interval (in seconds) to check the lifetime of the IKE peer.

    Retry count: Number of times to retry the connection before determining that the connection is dead. This field is not editable.
    IKE identifier Identifier of the IKE tunnel. This field is displayed only if the IKE Version field is set to IKE v1. Select the type of identifier from the drop-down list:

    IP ADDRESS – Specify the local public IP address, not the remote endpoint address.

    FQDN – Specify the fully qualified domain name (also known as absolute domain name).

    USER_FQDN – Specify an email address that contains an email domain.
    Local IKE identifier Specify the local IKE identifier. This field is displayed only if the IKE Version field is set to IKE v2.
    Remote IKE identifier Specify the remote IKE identifier. This field is displayed only if the IKE Version field is set to IKE v2.
    Phase 1 mode Exchange mode for the IKE security association (SA) negotiation.

    If the IKE Version field is set to IKE v1, you can select Main or Aggressive.

    If the IKE Version field is set to IKE v2, this field is automatically set to Aggressive.
    IKE version If the IPSec Suite B Preset field on the General tab is set to None, you can select IKE v1 or IKE v2.

    If the IPSec Suite B Preset field is set to any other setting, this field is automatically set to IKE v2.

    IPSec tab (for passthrough)

    Access the following fields by clicking the IPSec tab on the Add Passthrough Tunnel dialog box. This tab is displayed only if the Mode field on the General tab is set to IPSec.

    IPSec

    Field Description
    Authentication algorithm Authentication algorithm used for the IPSec security association (SA).

    If the IPSec Suite B Preset field on the General tab is set to None, you can select SHA1, SHA2-256, SHA2-384, SHA2-512, AES-GMAC-128, or AES-GMAC-256. The default setting is auto.

    If the IPSec Suite B Preset field is set to GMAC-128 or GMAC-256, this field is automatically set to the appropriate algorithm.

    If the IPSec Suite B Preset field is set to GCM-128 or GCM-256, this field is not applicable.
    Encryption algorithm Encryption algorithm used for the IPSec security association (SA).

    If the IPSec Suite B Preset field on the General tab is set to None, and the IPSec Authentication algorithm field is set to SHA1, SHA2-256, SHA2-384, or SHA2-512, you can select AES-CBC-128, AEC-CBC-256, AES-GCM-128, AES-GCM-256, NULL, or Auto. The default setting is Auto.

    If the IPSec Suite B Preset field is set to None, and the IPSec Authentication algorithm field is set to AES-GMAC-128 or AES-GMAC-256, this field is automatically set to NULL.
    IPSec anti-replay window Select a size from the drop-down list or Disable to disable the IPSec anti-replay window.

    If a size is selected, protection is provided against an attacker duplicating encrypted packets by assigning a unique sequence number to each encrypted packet.
    Rekey interval/lifetime Rekey interval/lifetime of the IPSec security association (SA) in minutes. The default is 360 minutes.
    Perfect forward secrecy group Diffie-Hellman group used for IPSec security association (SA) negotiation. Based on the setting of the IPSec Suite B Preset field on the the General tab, this field is set to the following Diffie-Hellman group:

    For None: 14 (by default)

    For GCM-128 or GMAC-128: 19

    For GCM-256 or GMAC-256: 20

  4. Click Save.

Delete a Tunnel

To delete a tunnel listed in the table on the Underlay or Passthrough subtab of the Tunnels dialog box, click the corresponding delete icon (X) in the last column.

Back to top

© Copyright 2023 Hewlett Packard Enterprise Development LP. The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. Aruba Networks and the Aruba logo are registered trademarks of Aruba Networks, Inc. Third-party trademarks mentioned are the property of their respective owners. To view the end-user software agreement, go to Aruba EULA.

Open Source Code:

Hewlett Packard Enterprise Company
Attn: General Counsel
WW Corporate Headquarters
1701 E Mossy Oaks Rd Spring, TX 77389
United States of America