Filter
Top Products
278 | VirtualPrivateNetworks DellPowerConnectW-SeriesArubaOS6.2 | User Guide
l ECDSA-384 (for clients using certificates)
7. Diffie-Hellman is a key agreement algorithm that allows two parties to agree upon a shared secret, and is used
within IKE to securely establish session keys. To set the Diffie Hellman Group for the ISAKMP policy, click the
Diffie Hellman Group drop-down list and select one of the following groups:
l Group 1: 768-bit Diffie Hellman prime modulus group.
l Group 2: 1024-bit Diffie Hellman prime modulus group.
l Group 19: 256-bit random Diffie Hellman ECP modulus group.
l Group 20: 384-bit random Diffie Hellman ECP modulus group.
8. Set the Security Association Lifetime to define the lifetime of the security association, in seconds. The default
value is 7200 seconds. To change this value, uncheck the default checkbox and enter a value from 300 to 86400
seconds.
9. Click Doneto activate the changes, and return to the previous window
Setting the IPsec Dynamic Map
Dynamic maps enable IPsec SA negotiations from dynamically addressed IPsec peers. ArubaOS has a predefined
IPsec dynamic map for IKEv1. If you do not want to use this predefined map, you can use the procedures below to
edit an existing map or create your own custom IPsec dynamic map instead.
1. Scroll down to the IPsec Dynamic Map section of the IPSEC tab, then click Edit by a map name to edit an
existing map or click Add to create a new map.
2. In the Name field, enter a name for the dynamic map
3. In the Priority field, enter a priority number for the map. Negotiation requests for security associations try to
match the highest-priority map first. If that map does not match, the negotiation request continues down the
list to the next-highest priority map until a match is made.
4. Click the Version drop-down list and select V1 to create an IPsec map for remote peers using IKEv1.
5. (Optional) Configure Perfect Forward Secrecy (PFS) settings for the dynamic peer by assigning a Diffie-Hellman
prime modulus group. PFS provides an additional level of security by ensuring that the IPsec SA key was not
derived from any other key, and therefore can not be compromised if another key is broken. Click the Set PFS
drop-down list and select one of the following groups:
l Group 1: 768-bit Diffie Hellman prime modulus group.
l Group 2: 1024-bit Diffie Hellman prime modulus group.
l Group 19: 256-bit random Diffie Hellman ECP modulus group.
l Group 20: 384-bit random Diffie Hellman ECP modulus group.
6. Select the transform set for the map to define a specific encryption and authentication type used by the dynamic
peer. Click the Transform Set drop-down list, and select the transform set for the dynamic peer.
NOTE: To view current configuration settings for an IPsec transform-set, access the command-line interface and issue the command
crypto ipsec transform-set tag <transform-set-name>.
7. Set the Security Association Lifetime to define the lifetime of the security association for the dynamic peer, in
seconds. The default value is 7200 seconds. To change this value, uncheck the default checkbox and enter a value
from 300 to 86400 seconds.
8. Click Done to return to the previous window.
Finalizing WebUI changes
When you have finished configuring your IPsec VPN settings, click Applyto apply the new settings before
navigating to other pages.