Dell 6.2 manual Show crypto-local pki servercert certname subject

5.In the Source Network and Source Subnet Mask fields, enter the IP address and netmask for the source (the local network connected to the controller). (See controller A in Figure 78.)

6.In the Destination Network and Destination Subnet Mask fields, enter the IP address and netmask for the destination (the remote network to which the local network communicates). (See controller B in Figure 78.)

7.If you are using IKEv1 to establish a site-to-site VPN to a statically addressed remote peer, in the Peer Gateway field, enter the IP address of the interface used by remote peer to connect to the L3 network. (See Interface B in Figure 78.) If you are configuring an IPsec map for a dynamically addressed remote peer, you must leave the peer gateway set to its default value of 0.0.0.0.

8.If you are using IKEv2 to establish a site-to-site VPN to a statically addressed remote peer, identify the peer device by entering its certificate subject name in the Peer Certificate Subject Name field.

NOTE: To identify the subject name of a peer certificate, access the command-line interface and issue the command

show crypto-local pki servercert <certname> subject

9.The Security Association Lifetime parameter defines the lifetime of the security association, in seconds. The default value is 7200 seconds. To change this value, uncheck the default checkbox and enter a value from 300 to 86400 seconds.

10.Click the Version drop-down list and select V1 to configure the VPN for IKEv1, or V2 for IKEv2.

11.Select the VLAN that contains the interface of the local controller which connects to the Layer-3 network. (See Interface A in Figure 78.)

This determines the source IP address used to initiate IKE. If you select 0 or None, the default is the VLAN of the controller’s IP address (either the VLAN where the loopback IP is configured or VLAN 1 if no loopback IP is configured).

12.If you enable Perfect Forward Secrecy (PFS) mode, new session keys are not derived from previously used session keys. Therefore, if a key is compromised, that compromised key does not affect any previous session keys. PFS mode is disabled by default. To enable this feature, click the PFS drop-down list and select one of the following Perfect Forward Secrecy modes:

• group1: 768-bit Diffie Hellman prime modulus group.

• group2: 1024-bit Diffie Hellman prime modulus group.

• group19: 256-bit random Diffie Hellman ECP modulus group.

• group20: 384-bit random Diffie Hellman ECP modulus group.

13.Select Pre-Connectto have the VPN connection established even if there is no traffic being sent from the local network. If this is not selected, the VPN connection is only established when traffic is sent from the local network to the remote network.

14.Select Trusted Tunnel if traffic between the networks is trusted. If this is not selected, traffic between the networks is untrusted.

15.Select the Enforce NATT checkbox to always enforce UDP 4500 for IKE and IPSEC. This option is disabled by default.

16.Add one or more transform sets to be used by the IPsec map. Click the Transform Set drop down list, select an existing transform set, then click the arrow button by the drop-down list to add that transform set to the IPsec map.

17.For site-to-site VPNs with dynamically addressed peers, click the Dynamically Addressed Peers checkbox.

a.Select Initiator if the dynamically addressed switch is the initiator of IKE Aggressive-mode for Site-Site VPN, or select Responder if the dynamically addressed switch is the responder for IKE Aggressive-mode.

b.In the FQDN field, enter a fully qualified domain name (FQDN) for the controller. If the controller is defined as a dynamically addressed responder, you can select all peers to make the controller a responder for all VPN