Dell 6.2 Server User Manual

Open as PDF

of 869

272 | VirtualPrivateNetworks DellPowerConnectW-SeriesArubaOS6.2 | User Guide

NOTE: A server-derived role, if present, takes precedence over the default user role.

You then specify the default user role and authentication server group in the VPN authentication default profile, as

described in the following sections.

Selecting an IKE protocol

Controllers running ArubaOS version 6.1 and later support both IKEv1 and the newer IKEv2 protocol to establish

IPsec tunnels. IKEv2 is simpler, faster, and a more reliable protocol than IKEv1, though both IKEv1 and IKEv2

support the same suite-B cryptographic algorithms.

If your IKE policy uses IKEv2, you should be aware of the following caveats when you configure your VPN:

l ArubaOS does not support separate pre-shared keys for both directions of an exchange; the same pre-shared key

must be used by both peers. ArubaOS does not support mixed authentication with both pre-shared keys and

certificates; each authentication exchange requires a single authentication type. (For example, if a client

authenticates with a pre-shared key, the controller must also authenticate with a pre-shared key.)

l ArubaOS does not support IKEv2 mobility (MOBIKE), Authentication Headers (AH) or IP Payload

Compression Protocol (IPComp).

Understanding Suite-B Encryption Licensing

Dell controllers support Suite-B cryptographic algorithms when the Advanced Cryptography (ACR) license is

installed. Table 73 describes the Suite-B algorithms supported by ArubaOS IKE Policies and IPsec tunnels. For

further details on configuring a VPN to use Suite-B algorithms, see "Configuring a VPN for L2TP/IPsec with IKEv2

in the WebUI" on page 279.

IKE Policies Suite-B for IPsec tunnels

hash: SHA-256-128, SHA-384-192 Encryption: AES-128-GCM, AES-256-GCM

Diffie-Hellman (DH) Groups: ECP-256, ECP-384 Perfect Forward Secrecy (PFS): ECP-256, ECP-384

Pseudo-Random Function (PRF): HMAC_SHA_256, HMAC_SHA_

384

—

Suite-B certificates: ECDSA-256, ECDSA-384 —

Table 73:

Suite-B Algorithms Supported by the ACR License

NOTE: IKE Suite-B AES-128-GCM and AES-256-GCM encryption is supported by the ArubaOS hardware. IKE Suite-B Diffie-Hellman

and Certificate-based signature operations and hash, PFS, and PRF algorithm functions are performed by the ArubaOS software.

The following VPN clients support Suite-B algorithms when establishing an L2TP/IPsec VPN.

previous next

Top Automotive Device Types

Top Automotive Brands

Top Baby Care Device Types

Top Baby Care Brands

Top Car Audio & Video Device Types

Top Car Audio & Video Brands

Top Cellphone Device Types

Top Cellphone Brands

Top Communications Device Types

Top Communications Brands

Top Computer Device Types

Top Computer Brands

Top Fitness Device Types

Top Fitness Brands

Top Home Audio Device Types

Top Home Audio Brands

Top Household Appliance Device Types

Top Household Appliance Brands

Top Kitchen Appliance Device Types

Top Kitchen Appliance Brands

Top Laundry Appliance Device Types

Top Laundry Appliance Brands

Top Lawn & Garden Device Types

Top Lawn & Garden Brands

Top Marine Equipment Device Types

Top Marine Equipment Brands

Top Musical Instrument Device Types

Top Musical Instrument Brands

Top Outdoor Cooking Device Types

Top Outdoor Cooking Brands

Top Personal Care Device Types

Top Personal Care Brands

Top Photography Device Types

Top Photography Brands

Top Portable Media Device Types

Top Portable Media Brands

Top Power Tools Device Types

Top Power Tools Brands

Top TV and Video Device Types

Top TV and Video Brands

Top Videogame Device Types

Top Videogame Brands

Dell 6.2 Server User Manual