VPN Service Settings

Configure a VPN service configuration object.

About VPN Service Settings

Layer 3 IPsec VPNs tunnel traffic between Extreme Networks routers and one or two VPN gateways. Each router functions as a VPN initiator and does a route look up to determine whether to send traffic from hosts in its sub-network through an IPsec tunnel to destinations in different subnets on the other side of the Layer 3 VPN gateway, which functions as a VPN terminator. When using a hub-and-spoke design, the destination might lie on the other side of a second tunnel that connects the Layer 3 VPN gateway to another router at a different remote site. ExtremeCloud IQ applies Layer 3 IPsec VPNs to routers and Layer 3 VPN gateways through a network policy that has routing enabled.

Basic VPN Service Settings

You can create a Layer 3 IPsec VPN services profile that makes use of all the default settings, choose the VPN gateway and define its external IP address, and configure the default routing policy and any policy exceptions.

To define a new VPN service, enter the following:

Name: Enter a name for the VPN service.

Description: Enter an optional note about the service for future reference. The description can contain up to 64 characters, including spaces.

Extreme VPN Gateway: Select to use an Extreme Networks device as a VPN gateway.

Number of branches to be created: Enter the number of branch sites from 1 to 1000 that you expect will build tunnels to the VPN gateway. Be sure to include potential future sites to ensure that ExtremeCloud IQ will generate enough server-client credentials for all of them. The maximum number of VPN gateways supported is 20.

Standardized VPN Gateway: Select to use a third-party VPN gateway.

Select Vendor: (select Cisco.)

External IP Address: Enter the IP address of the third-party VPN gateway.

Continue with "Advanced Server Options".

Extreme VPN Gateway Settings

(Extreme Networks VPN gateway only): Select Add and choose a VGVA from the VPN Gateway drop-down list. The VGVAs that appear in this list have been added to the VHM as Layer 3 VPN gateways. You can configure a VGVA as a Layer 3 VPN gateway in Manage > Devices > vgva_name > Device Configuration or on Configuration > Devices > VPN Gateways. (For Help, see "Device Settings".)

External IP Address: Enter the IP address that routers (VPN initiators) must use as the termination point of their VPN tunnels. If the VPN gateway is behind a firewall using NAT, enter the public IP address on the firewall that maps incoming IKE and NAT-Traversal traffic to the WAN IP address on the VPN gateway inside the firewall. If the WAN interface has a public IP address and there is no NAT device between it and the public WAN, enter the WAN interface IP address for VPN gateway.

  • If the external IP address is the same as that of its WAN interface, the VPN gateway automatically performs NAT on traffic that it receives through tunnels before routing it to websites on the Internet, translating the source IP address to that of its WAN interface. If the external IP address is different from that of the WAN interface, it does not perform NAT on outbound traffic to websites. When the WAN interface and external IP address are different, there should be another device such as a firewall that will do the address translation before routing the traffic to the Internet.

Priority: Define the VPN gateway as either the Primary or Backup VPN gateway to which routers will build IPsec VPN tunnels.

After you apply a VPN gateway, ExtremeCloud IQ automatically displays its WAN and LAN IP addresses and whether the VPN gateway uses dynamic routing protocols to learn routes from routing peers on its local network.

To add a second VPN gateway, select Add again and repeat the previous step, choosing a different priority from the first gateway.

Continue with "Optional Settings".

Optional Settings

You can modify the settings in the following sections to customize the VPN service configuration.

Extreme IPsec VPN Certificate Authority Settings

(Extreme Networks VPN gateway only): Between IKE Phase 1 and Phase 2, Extreme Networks VPN gateways and routers use Xauth to authenticate each other. The VPN gateway uses PEM-formatted certificates to authenticate to the routers and the routers use a password to authenticate to the gateways.

ExtremeCloud IQ provides a set of default certificates you can use, or you can import others by selecting Image of Import icon in Configure > Common Objects > Certificate > Certificate Management.

To use the default certificate objects, select the following:

VPN Certificate Authority: Default_CA.pem

VPN Server Certificate: Default-Server_cert.pem

VPN Server Cert Private Key: Default-Server_key.pem

ExtremeCloud IQ distributes the certificates as follows:

VPN Certificate Authority: The CA certificate is loaded on the routers so that they can validate the server certificate that the VPN gateway presents. From the drop-down list, choose the CA certificate used to sign the VPN Server Certificate. The default CA certificate is Default_CA.pem. If you do not have a CA certificate that you want to use, you can import one from your management system. (See the "Certificate Import Options" selection below for information.)

VPN Server Certificate: The server certificate, on the VPN gateway, can be used during IKE phase 1 negotiations to authenticate itself to routers. From the drop-down list, choose a server certificate that was signed by the specified CA certificate. The default VPN server certificate is Default-Server_cert.pem. If you do not have a server certificate that you want to use, you can import one from your management system. See "Certificate Import Options" .

VPN Server Cert Private Key: Choose the private key that accompanies the public key in the server certificate. This key is loaded on the VPN gateway. If it is not in the list, import it as you did the server certificate. The default private key is Default-Server_key.pem.

Certificate Import Options

(Extreme Networks VPN gateway only): To use certificates imported in PFX or DER formats, you must first reformat them as PEM files.

To import a PFX-formatted file, which contains a certificate and private key combined, and convert the format from PFX to PEM, do the following:

  1. Navigate to Configure > Common Objects > Certificate > Certificate Management, choose Select, and navigate to and select the .pfx file on your local system.
  2. Select Convert the certificate format from PFX to PEM.
  3. Enter the password that was used to encrypt the PFX file.
  4. Select Save.
  • When you choose the VPN Server Certificate and VPN Server Cert Private Key, make sure that they correspond to each other.

To import a pair of DER-formatted files, one containing a certificate and the other its accompanying private key, and convert their format from DER to PEM, do the following:

  1. Navigate to Configure > Common Objects > Certificate > Certificate Management, choose Select, navigate to and choose the .der file on your local system.
  2. Select Convert the certificate format from DER to PEM.
  3. Select the type of file you are importing; in this case, Certificate.
  4. Select Save.
  5. To import the private key file matching the public key in the certificate you just imported, repeat steps 1 - 3 but select Key for the file type.
  6. When importing a DER-formatted private key, enter the password used to encrypt the file.
  7. Select Save.
  • When you choose the VPN Server Certificate and VPN Server Cert Private Key, make sure that they correspond to each other.

Extreme Server-Client Credentials

(Extreme Networks VPN gateway only): ExtremeCloud IQ populates this table with randomly generated text strings that routers use like passwords to identify themselves to the VPN gateway during the Xauth stage between IKE phase 1 and 2 negotiations.

  • ExtremeCloud IQ generates the Xauth credentials for Layer 3 IPsec VPN tunnels and allocates them to routers when you upload the configuration to them, not before.

Advanced Server Options

You can change the IKE phase 1 and phase 2 options in this section.

IKE Phase 1 Options

Authentication:

Extreme Networks: Set peer authentication to hybrid mode. In hybrid mode, the VPN gateway authenticates itself to the router with an RSA signature and the router authenticates itself to the VPN gateway through Xauth.
or
Third-party VPN gateway: Set the authentication to PSK .

Password: (third-party VPN gateway only): Enter the PSK password for the VPN gateway.

Encryption Algorithm: Set the encryption algorithm as 3DES (Triple DES, Data Encryption Standard), or AES (Advanced Encryption Standard) with a 128-bit key, a 192-bit key, or a 256-bit key. The default is AES-256.

Hash Algorithm: Set the IKE hash algorithm as MD-5 (Message Digest, version 5) or SHA-1 (Secure Hash Algorithm). The default is SHA-1.

Diffie-Hellman Group: Set the Diffie-Hellman group for generating a shared key during phase 1 negotiations. You can choose group 1, 2, or 5. The default is Diffie-Hellman group 2.

Lifetime: Set the phase 1 SA (security association) lifetime. Before the SA expires, the authentication and encryption keys automatically refresh with new ones. The default SA expiration lifetime for IKE phase 1 is 86400 seconds (24 hours). You can set it to a different value from 180 seconds (3 minutes) to 10000000 seconds (a very long time).

IKE ID: (third-party VPN gateway only): Enter the IKE Phase 1 ID.

IKE Phase 2 Options

Encryption Algorithm: Set the encryption algorithm as 3DES, or AES with a 128-bit key, a 192-bit key, or a 256-bit key. The default is AES-256.

Hash Algorithm: Set the IKE hash algorithm as MD-5 or SHA-1. The default is SHA-1.

Diffie-Hellman Group: Set the Diffie-Hellman group for generating a shared key during phase 2 negotiations. You can choose a group 1, 2, or 5. You can also choose not to perform a second Diffie-Hellman key exchange during phase 2 negotiations. The default is Diffie-Hellman group 2.

Lifetime: Set the phase 2 SA lifetime. Before the SA expires, the authentication and encryption keys are automatically refreshed with new ones. The default SA expiration lifetime for IKE phase 2 is 3600 seconds (1 hour). You can set it to a different value from 180 seconds (3 minutes) to 10000000 seconds (a very long time).

Enable peer IKE ID validation: (Extreme Networks VPN gateway only): Select to enable routers to validate the IKE ID that the VPN gateway sends them. Then choose the type of IKE ID to use: ASN.1 DN, IP address, FQDN, or User FQDN. When you create a server certificate, you can define one or more of these subject alternative names: IP address, FQDN (fully-qualified domain name), user FQDN. You can use any of them as the IKE ID for the VPN gateway. You can also use the ASN.1 DN (Abstract Syntax Notation One Distinguished Name), which is automatically created by concatenating various values in the certificate such as, the common name, different organizational units, and the email address.

When you update managed devices with a configuration that includes a VPN service profile that references this server certificate, ExtremeCloud IQ pushes the server certificate and the specified IKE ID type to the VPN gateway. At the same time, ExtremeCloud IQ pushes the CA certificate, IKE ID type, and IKE ID string to the routers so they are ready to authenticate the VPN server certificate and IKE ID during IKE negotiations.

Advanced Client Options

You can make modifications for routers (Layer 3 IPsec VPN clients) in this section.

Client IKE Settings

Enable NAT Traversal: Select to enable VPN traffic to traverse NAT (network address translation) devices encountered along its data path. Clear the check box to disable this ability. NAT traversal is enabled by default.

Extreme DPD (Dead Peer Detection) Settings

(Extreme Networks VPN gateway only): DPD and tunnel heartbeat settings control when to fail over from the primary to the secondary VPN server. DPD messages verify the presence of an IKE peer and AMRP (Advanced Mobility Routing Protocol) tunnel heartbeats verify communications through the VPN tunnel. The failure of either mechanism can trigger a failover.

  • The default DPD failover time is about 16 seconds. The default AMRP heartbeat failover time is about 21 seconds.

Heartbeat Interval: Set the interval for sending DPD R-U-There heartbeat messages from the router to the VPN gateway. By default, a router sends an R-U-There message every 10 seconds as long as it continues receiving replies. If it does not receive a reply, it then sends R-U-There messages at the retry interval (default: 3 seconds). You can change the heartbeat interval from 0 (to disable it) to 65535 seconds (roughly 18 hours).

Number of Retries: Set the number of times to retry sending a DPD R-U-There message when it does not elicit a response. By default, a device tries resending an R-U-There message up to 5 times. You can change this from 1 to 65535 times.

Retry Interval: Set an accelerated interval between DPD R-U-There retry attempts. The router uses this interval after an R-U-There message does not elicit a response from the VPN gateway. By default, a device retries every 3 seconds. You can change the interval from 1 to 60 seconds.

Third-Party VPN Gateway VPN Access List

(Third-party VPN gateway only): Select Add or to add and modify a VPN access list. Enter the required source and destination networks in the respective VPN access list text boxes.

When you are finished with changes, select Save.