290| Virtual Private Net works DellPowerConnect W- Series ArubaOS 6.2 | User Guide
5. I n the Source Network and Source Subnet Mask fields, enter the IP address and netmask fort heso urce(the
localnetwo rkc onnectedt o the controller).(See co ntrollerA i n Figure7 8.)
6. I n the Destination Network and Destin ation Subnet Mask fields, enter the IP address and netmask for the
destination (the remote network to which the local network communicates). (See controllerB in Figure 78.)
7. I f you areusing IKE v1 to establish a site-to-site VPN to a st atically addressedremote peer, in the Peer Gateway
field,enter the IP address of the interface used by remote peer to connect to the L3 network. (See Interface B in
Figure7 8.) If you are configuringan I Psec map for a dynamically addressedremote peer, you must leave the peer
gateway set to its default value of 0.0.0.0.
8. I f you areusing IKE v2 to establish a site-to-site VPN to a st atically addressedremote peer, identify the peer
device by entering its certificate subject name in the Peer Cert ificate Subject Namefield.
NOTE:To i dentifythe subject name of a peer certificate, access the command-line interface and issue the command
show crypto-local pki servercert <certname> subject
9. The Security A ssociation Lifetime parameterdefines the lifetime of the security associ ation, in seconds. The
defaultvalue is 72 00 seconds. To change this value, uncheckthe default checkbox and enter a value from 300 to
86400 seconds.
10. Click the Version drop-down list and select V1 to configuret he VPN for IKEv1, or V2 for IKE v2.
11. Select the VLAN that contains the interface of the local controller which connects to the Layer-3 network. (See
Interface A in Figure 78.)
This determines the sourceI P addressused to initiate IKE. If you select 0 or None, the defaultis t heV LAN of
the controller’sIP address (either the VLAN where the loopback IP is c onfiguredor VLAN 1 i f no loopbackI P is
configured).
12. If you enablePerfect ForwardSecrecy (P FS) mode, new s ession keys arenot derived from previously used sessi on
keys. Therefore,if a key is compromised, that compromised key does not affect any previous session keys. PFS
mode is disabled by default.To enable this feature,click t he PFSdrop-down list and select one of t he following
Perfect ForwardSecrecy modes:
lgroup1: 768-bit Diffie Hellman prime modulusgroup.
lgroup2: 1024-bit Diffie Hellman prime modulus group.
lgroup19: 256-bit random Diffie Hellman ECP modulus group.
lgroup20: 384-bit random Diffie Hellman ECP modulus group.
13. Select Pre-Connect to have the VPN co nnectionest ablishedeven if there is no traffic being sent from the local
network.I ft his is not selected,the VP N connection is only establishedwhen traffic is sent from the local
network to the remote network.
14. Select Trusted Tunnel i f traffic between the networks is trusted. If this is not selected, traffic between the
networks is untrusted.
15. Select the Enfor ce NATT checkbox to always enforce UDP 4500 for IKE and IPSEC. T his option is disabled by
default.
16. Add oneo rmore transform sets to be used by the IPsec map. Click the Tran sform Set drop down list, select an
existing transformset, then click the arrow button by the drop-down list to add that transform set to the IPsec
map.
17. For site-to-site VPNs wit h dynamically addressed peers, click theD ynamically Addressed Peers checkbox.
a. Select Initiator if the dynamicallyaddressed switc h is the
initiator
of IKE Aggressive-mode for Site-Site VPN,
or select Responder if the dynamically addressedswi tch is the
responder
for IKE Aggressive-mode.
b. In t he FQDN field,enter a fully qualified domain name(FQDN) for the controller. If the controller is defined
as a dynamically addressedresponder, you can select all peers to make the co ntrollera responder for all VPN