Filter
Top Products
2. Enable authentication methods for IKEv2 clients:
(host)(config) #crypto isakmp eap-passthrough {eap-mschapv2|eap-peap|eap-tls}
3. Create address pools:
(host)(config) #ip local pool <pool> <start-ipaddr> <end-ipaddr>
4. Configure source NAT
(host)(config) #ip access-list session srcnat user any any src-nat pool <pool> position 1
5. If you are configuring a VPN to support machine authentication using certificates, define server certificates for
VPN clients using IKEv2.
(host)(config) #crypto-local isakmp server-certificate <cert>
6. Define IKEv2 Policies:
(host)(config) #crypto isakmp policy <priority>
encryption {3des|aes128|aes192|aes256|des}
version v2
authentication {pre-share|rsa-sig|ecdsa-256ecdsa-384}
group {1|2|19|20}
hash {md5|sha|sha1-96|sha2-256-128|sha2-384-192}
prf PRF-HMAC-MD5|PRF-HMAC-SHA1|PRF-HMAC-SHA256|PRF-HMAC-SHA384
lifetime <seconds>
7. Define IPsec Tunnel parameters
(host)(config) #crypto ipsec
mtu <max-mtu>
transform-set <transform-set-name> esp-3des|esp-aes128|esp-aes128-gcm|esp-aes192|esp-
aes256|esp-aes256-gcm|esp-des esp-md5-hmac|esp-null-mac|esp-sha-hmac
Configuring a VPN for Smart Card Clients
This section describes how to configure a remote access VPN on the controller for Microsoft L2TP/IPsec clients
with smart cards. (A smart card contains a digital certificate which allows user-level authentication without the user
entering a username and password.) As described previously in this chapter, L2TP/IPsec requires two levels of
authentication: first, IKE SA (machine) authentication, and then user-level authentication with an IKEv2 or PPP-
based authentication protocol.
Microsoft clients running Windows 7 (or later versions) support both IKEv1 and IKEv2. Microsoft clients using
IKEv2 support machine authentication using RSA certificates (but not ECDSA certificates or pre-shared keys) and
smart card user-level authentication with EAP-TLS over IKEv2.
NOTE: Windows 7 clients without smart cards also support user password authentication using EAP-MSCHAPv2 or PEAP-
MSCHAPv2.
Working with Smart Card clients using IKEv2
To configure a VPN for Windows 7 clients using smart cards and IKEv2, follow the procedure described in
"Configuring a VPN for L2TP/IPsec with IKEv2 in the WebUI" on page 279, and ensure that the following settings
are configured
l L2TP is enabled.
l User Authentication is set to EAP-TLS.
l IKE version is set to V2
l The IKE policy is configured for ECDSA or RSA certificate authentication.
DellPowerConnectW-SeriesArubaOS6.2 | User Guide VirtualPrivateNetworks | 283