Controller Based WLANs

 View Only
last person joined: one year ago 

APs, Controllers, VIA
Back to Library

Disable Factory- Default IKE/IPsec Profiles 

Jul 04, 2014 05:13 AM

Introduction :

 

Dynamic maps enable IPsec SA negotiations from dynamically addressed IPsec peers. ArubaOS has a predefined IPsec dynamic maps for IKEv2. But in some rare situation we might need to use our own customized IPsec dynamic maps for IKEv2 according to the company security standards.

If you do not want to use of these predefined maps, you can use the procedures below to to delete a factory-default map,edit an existing map or create your own custom IPsec dynamic map instead.

 

 

Feature Notes :

 

Starting from AOS image 6.4, we have an option to disable or delete the Factory Default IKE/IPsec Profiles

 

 

Configuration Steps :

 

In the WebUI
 
  1. Scroll down to the IPsec Dynamic Map section of the IPSEC tab, then click Edit by a map name to edit an existing map or click Add to create a new map.
  2. In the Name field, enter a name for the dynamic map.
  3. In the Priority field, enter a priority number for the map. Negotiation requests for security associations try to match the highest-priority map first. If that map does not match, the negotiation request continues down the list to the next-highest priority map until a match is made.
  4. Click the Version drop-down list, and select v2 to create a map for remote peers using IKEv2.
  5. (Optional) Configure Perfect Forward Secrecy (PFS) settings for the dynamic peer by assigning a Diffie-Hellman prime modulus group. PFS provides an additional level of security by ensuring that the IPsec SA key was not derived from any other key, and therefore can not be compromised if another key is broken. Click the Set PFS drop-down list and select one of the following groups:

          Group 1: 768-bit Diffie–Hellman prime modulus group.
          Group 2: 1024-bit Diffie–Hellman prime modulus group.
          Group 14: 2048-bit Diffie–Hellman prime modulus group.
          Group 19: 256-bit random Diffie–Hellman ECP modulus group.
          Group 20: 384-bit random Diffie–Hellman ECP modulus group.
     
  6. Select the transform set for the map to define a specific encryption and authentication type used by the dynamic peer. Click the Transform Set drop-down list, and select the transform set for the dynamic peer.
  7. Set the Security Association Lifetime to define the lifetime of the security association for the dynamic peer, in seconds. The default value is 7200 seconds. To change this value, uncheck the default checkbox and enter a value from 300 to 86400 seconds.
  8. Click Done.

 

When you have finished configuring your IPsec VPN settings, click Apply to apply the new settings before navigating to other pages.

Use the following procedures to use the command-line interface to configure a remote access VPN for L2TP IPsec using IKEv2.
 
1. Define the server addresses:
 
(host)(config) #vpdn group l2tp
enable
client configuration {dns|wins} <ipaddr1> [<ipaddr2>]

2. Enable authentication methods for IKEv2 clients:
 
(host)(config) #crypto isakmp eap-passthrough {eap-mschapv2|eap-peap|eap-tls}
 
3. Create address pools:

(host)(config) #ip local pool <pool> <start-ipaddr> <end-ipaddr>
 
4. Configure source NAT:
 
(host)(config) #ip access-list session srcnat user any any src-nat pool <pool> position 1
 
5. If you are configuring a VPN to support machine authentication using certificates, define server certificates for VPN clients using IKEv2:
 
(host)(config) #crypto-local isakmp server-certificate <cert>

6. Define IKEv2 Policies:
 
(host)(config) #crypto isakmp policy <priority>
encryption {3des|aes128|aes192|aes256|des}
version v2
authentication {pre-share|rsa-sig|ecdsa-256ecdsa-384}
group {1|2|19|20}
hash {md5|sha|sha1-96|sha2-256-128|sha2-384-192}
prf PRF-HMAC-MD5|PRF-HMAC-SHA1|PRF-HMAC-SHA256|PRF-HMAC-SHA384
lifetime <seconds>
 
7. Define IPsec Tunnel parameters:
 
(host)(config) #crypto ipsec
mtu <max-mtu>
transform-set <transform-set-name> esp-3des|esp-aes128|esp-aes128-gcm|esp-aes192|esp-aes256
|esp-aes256-gcm|esp-des esp-md5-hmac|esp-null-mac|esp-sha-hmac
 
Troubleshooting#show crypto ipsec transform-set tag <transform-set-name>

Internal Note :
The IKE pre-shared key value must be between 6-64 characters. To configure a pre-shared IKE key that contains nonalphanumeric characters, surround the key with quotation marks.
 
For example: crypto-local isakmp key "key with spaces" fqdn-any.

 

Statistics
0 Favorited
16 Views
0 Files
0 Shares
0 Downloads

Related Entries and Links

No Related Resource entered.