Configure Advanced Client Options

First, create a Layer 2 IPsec VPN service. For more information, see Configure Layer 2 IPsec VPN Services.

For Layer 2 IPsec VPN tunnels, all management servers (CAPWAP, Syslog, SNMP, NTP, RADIUS, Active Directory, and LDAP) should be reachable from the VPN client without tunneling by default. However, you might want to tunnel some or all management traffic from the VPN client to servers on the main network.

  1. Go to Configure > Common Objects > Network > Layer 2 IPsec VPN Services.
  2. Select an existing VPN service, and then select Edit, or select Add.
  3. In the Optional Settings section, expand Advanced Client Options.
  4. For Management Tunnel Traffic Options:
    Note

    Note

    Set the following options only when the servers are in a different subnet from that of the tunnel interface. When they are in the same subnet, tunneling is automatic. In addition, the IP address/host name objects for the following servers must have IP address definitions as opposed to host name definitions.
    1. Select ExtremeCloud IQ (CAPWAP) to tunnel all CAPWAP (Control and Provisioning of Wireless Access Points) traffic from VPN clients to ExtremeCloud IQ, which is a CAPWAP server.
    2. Select Syslog to send log entries to a syslog server through the VPN tunnel.
    3. Select SNMP Traps to send all SNMP traps through the VPN tunnel to an SNMP management system.
    4. Select NTP to tunnel all NTP traffic from VPN clients to an NTP server.
    5. Select RADIUS to tunnel all RADIUS traffic from VPN clients to a RADIUS authentication server.
    6. Select Active Directory to tunnel all traffic from an Extreme Networks RADIUS authentication server to an Active Directory server.
    7. Select LDAP to tunnel all traffic from a RADIUS authentication server to an LDAP server.
  5. Select Enable NAT Traversal to enable VPN traffic to traverse NAT devices.
  6. Configure the DPD (Dead Peer Detection) Settings.

    The DPD and tunnel heartbeat settings control when to fail over from the primary to the secondary VPN server. The DPD messages verify the presence of an IKE peer, and AMRP (Advanced Mobility Routing Protocol) tunnel heartbeats verify communications through the GRE and VPN tunnel. The failure of either mechanism can trigger a failover.

    1. Set the Heartbeat Interval for sending DPD R-U-There heartbeat messages from the VPN client to the VPN gateway.
    2. Set the number of times to retry sending a DPD R-U-There message when it does not elicit a response.
    3. Set the amount of time between retries.
  7. For Tunnel Heartbeat Settings:
    1. Set the Interval for sending AMRP heartbeats through the GRE and VPN tunnel from the VPN client to the VPN server.
    2. Set the number of times to Retry sending a heartbeat if the VPN server fails to respond.

      After a heartbeat fails to elicit a response from the VPN server, the VPN client retries every second.

  8. Select SAVE.
9038986-00 Rev AA