Aruba Central Online Help

Configuring Site-to-Site VPN

A site-to-site VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. allows the branch sites to establish secure connections with one another over a public network, for example, the internet. A site-to-site VPN allows users from different locations to access network resources hosted within the corporate network.

Figure 1 illustrates the site-to-site VPN topology in which a tunnel connects Network A to Network B across the internet.

Figure 1  Site-to-Site VPN Configuration Components

Click to view a larger size.

As shown in Figure 1, the following parameters must be configured to set up a site-to-site VPN tunnel on a Branch Gateway A:

For the site-to-site VPN, you must configure VPN settings on Branch Gateways deployed at both the local and remote sites.

Site-to-site VPNs allow sites in different locations to securely communicate with one another over a layer 3 network such as the internet.

Aruba Gateways support the following IKEInternet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. SASecurity Association. SA is the establishment of shared security attributes between two network entities to support secure communication. authentication methods for site-to-site VPNs:

Configuring IPsec Map for Site-to-Site VPNs

To configure IPsec map parameters for a site-to-site VPN, complete the following steps:

  1. In the Network Operations app, set the filter to a group that contains at least one Branch Gateway.

    The dashboard context for a group is displayed.

  2. Under Manage, click Devices > Gateways.

    A list of gateways is displayed in the List view.

  3. Click a gateway under Device Name.

    The dashboard context for the gateway device is displayed.

  4. Under Manage, Click Device.

    The gateway configuration page is displayed.

  5. If you are in the Basic Mode, click Advanced Mode to access the advanced configuration options.
  6. Click VPNSite to Site.
  7. In the IPsec Maps section, click + to open the New Ipsec Map section.
  8. Configure the required parameters as described in Table 1.
  9. Save the changes.

Table 1: IPsec Map Parameters

Parameter

Description

Name

Enter a name for the VPN connection.

Enabled

Select the check box.

Priority

Enter a priority level for the IPsec map. Negotiation requests for security associations try to match the highest-priority map first. If that map does not match, the negotiation request continues down the list to the next highest-priority map until a match is found.

Source network type

Select one of the following options to identify the source, the local VPN network connected to the Branch Gateway:

  • IP Address—The source is identified by an IP address.
    • Source network —If you selected IP Address, you must enter the IP address of the source network.
    • Source subnet mask—Enter the netmask for the source network.
  • VLAN—The source is identified by a VLAN ID.
    • VLAN—If you selected the VLAN ID for the source network type, you must specify the VLAN ID from the drop-down list.
  • Any—The source can be any network.

Destination network type

Select one of the following options to identify the destination, the remote network to which the local network communicates:

  • IP Address—The destination is identified by an IP address.
    • Destination network —If you selected IP Address, you must enter the IP address of the destination network.
    • Destination subnet mask—Enter the netmask for the destination network.
  • Any—The destination can be any network.

IKE version

Select v1 to configure the VPN for IKEv1, or v2 for IKEv2. For more information on configuring an IKE policy, see Configuring IKE Policies

IKE policy

(Optional) Click the Policies drop-down list and select a predefined or custom IKE policy to apply to the IPsec map.

Transforms

Add one or more transform sets to be used by the IPsec map. Click + and select an existing transform set or create a new one. Then click Apply to add that transform set to the IPsec map.

If you selected Add new transform enter the follwoing details:

  • Name—Enter a name for the transform.
  • Encryption—Select the encryption level from the drop-down list.
  • Hash—Select the hash key fromthe drop down list.

Remote peer addressing

Select one of the following options: 

  • Static—For site-to-site VPNs with peers that have static IP address.
  • Dynamic—For site-to-site VPNs with dynamically addressed peers.

Peer gateway type

The peer gateway type can be one of the following values:

  • IP address—If you selected this option, then specify an IP address in the Peer gateway IPv4 field.
  • FQDN—If you selected this option then specify a value in the Destination gateway FQDN field.

Destination gateway

This field is applicable only if you selected Dynamic in the Remote peer addressing field. Select one of the following options:

  • Initiator—Select this if the dynamically addressed switch is the initiator of IKE Aggressive-mode for site-to-site VPNs
  • Responder— Select this option if the dynamically addressed switch is the responder for IKE Aggressive-mode.

Source FQDN

Enter an FQDNFully Qualified Domain Name. FQDN is a complete domain name that identifies a computer or host on the Internet. for the Branch Gateway if the Branch Gateway is defined as a dynamically addressed responder,

  • All Peers Select this option to make the Branch Gateway a responder for all VPN peers.
  • Per Peer Id Select this option to make the Branch Gateway a responder for one specific initiator. Specify the FQDN id of the specific initiator to which the Branch Gateway acts a responder

VLAN

Select the VLAN containing the interface of the Branch Gateway that connects to the layer 3 network. This determines the source IP address used to initiate IKE. If you selected 0 or None, the default is the VLAN of the Branch Gateway’s IP address .

NOTE: This field is not applicable if you have enabled Load balance.

Authentication method

Select one of the following authentication options:

  1. Click Show Advanced Options to view the parameters listed in the following table:

Table 2: IPsec Map Parameters

Parameter

Description

SA lifetime (seconds)

The specified value (in seconds) defines the lifetime of the IPsec security association. The default value is 7200 seconds. The allowed range is 300–86,400 seconds.

SA lifetime (kb)

The specified value (in kilobytes) defines the lifetime of the IPsec security association. The allowed range is 1000–1,000,000,000 kilobytes.

Trusted tunnel

Select the Trusted tunnel check box if the traffic between the networks is trusted. If you do not select this, then the traffic between the networks is untrusted.

Enforce NATT

Select the check box to enforce UDPUser Datagram Protocol. UDP is a part of the TCP/IP family of protocols used for data transfer. UDP is typically used for streaming media. UDP is a stateless protocol, which means it does not acknowledge that the packets being sent have been received. 4500 for IKE and IPsec. This option is disabled by default.

Pre-connect

Select the Pre-connect check box to establish the VPN connection, even if there is no traffic being sent from the local network. If you do not select this, the VPN connection is established only when traffic is sent from the local network to the remote network.

IP compression

This option appears only if you selected v2 as IKE version. IKEv2 site-to-site VPNs between VPN Concentrators and Branch Gateways support traffic compression between those devices. Set IP compression to Enabled to enable compression for traffic in the site-to-site tunnel.

Enabling this feature reduces the size of data frames transmitted over a site-to-site VPN between 7200 Series or 7000 Series controllers using IKEv2 authentication. IP compression can reduce the time required to transmit the frame across the network. When this hardware-based compression feature is enabled, the quality of unencrypted traffic (such as Lync or Voice traffic) is not compromised by increased latency or decreased throughput. IP compression is disabled by default.

NOTE: This feature is only supported in an IPv4 network using IKEv2. This feature cannot be enabled on a 7205controller or on a site-to-site VPN that is established using IKEv1.

Factory certificate authentication

Select the check box to enable the Factory certificate authentication.

NOTE: This option is applicable only if you selected v2 as IKE version.

Inbound Route ACL

Select the inbound route ACLAccess Control List. ACL is a common way of restricting certain types of traffic on a physical port. from the drop-down list.

NOTE: This option is applicable only if you selected v2 as IKE version.

PFS

If you enable PFS mode, new session keys are not derived from previously used session keys. Therefore, if a key is compromised, that compromised key does not affect any previous session keys. PFSPerfect Forward Secrecy. PFS refers to the condition in which a current session key or long-term private key does not compromise the past or subsequent keys. mode is disabled by default. To enable this feature, click the PFS drop-down list and select one of the following PFS modes:

  • group1—768-bit Diffie–Hellman prime modulus group
  • group2—1024-bit Diffie–Hellman prime modulus group
  • group 14—2048-bit Diffie–Hellman prime modulus group
  • group19—256-bit random Diffie–Hellman ECP modulus group
  • group20—384-bit random Diffie–Hellman ECP modulus group

Force tunnel mode

Select the check box to enforce tunnel mode. This option is disabled by default.

Enabling Dead Peer Detection

DPDDead Peer Detection. A method used by the network devices to detect the availability of the peer devices. is enabled by default on the Branch Gateway for site-to-site VPNs. DPD, as described in RFCRequest For Comments. RFC is a commonly used format for the Internet standards documentss. 3706, uses IPsec traffic patterns to minimize the number of IKE messages required to determine the liveliness of an IKE peer.

Configuring Dead Peer Detection Parameters

To enable Dead Peer Detection, complete the following steps:

  1. In the Network Operations app, use the filter to select a group with branch gateways.
  2. Go to Manage > Devices > Gateways, click the configuration icon. The gateway configuration page is displayed.
  3. If you are in the Basic Mode, click Advanced Mode to access the advanced configuration options.
  4. Click VPNDPD.
  5. Click DPD toggle swithc to enable or disable the feature.
  6. Enter the idle timeout, retry timeout, retry attempts, and Tunnel MTUMaximum Transmission Unit. MTU is the largest size packet or frame specified in octets (eight-bit bytes) that can be sent in networks such as the Internet. in the respective fields.
  7. Save the changes.