| Setting | Description |
|---|---|
| Name | Type a name for the service. |
| Description | (Optional) Type a description. Although optional, descriptions can be helpful when you are troubleshooting your network. |
| Device VPN Server and Device VPN Client Settings | |
| Single Device VPN Server | Select Single Device VPN Server if you are not implementing redundant VPN servers. |
| Redundant Device VPN Servers | Select Redundant Device VPN Servers to configure a
redundant VPN server. Configure the settings for Device VPN Server 1 and Device VPN Server 2. |
| Device VPN Server | Select an AP with Layer 2 IPsec VPN services enabled. |
| Server Public IP Address | Auto-populated based on the selected VPN server settings. To change this setting, type the IP address of a VPN server that VPN clients can reach across the network. Note:
If the VPN server is behind a NAT device, enter the address of the MIP address on the NAT device. If there is no NAT device in front of the VPN server, enter the mgt0 IP address of the server. |
| Server MGT0 IP Address | Auto-populated and read-only. |
| Server MGT0 Default Gateway | Auto-populated and read-only. |
| Client Tunnel IP Address Pool Start | Type the first IP address of the range of addresses that the VPN
server assigns to tunnel interfaces on VPN clients during the Xauth
phase of tunnel setup. As a best practice, put this address pool in the same subnet as the VPN server mgt0 interface, and the same subnet as the addresses that the DHCP server assigns to wireless clients through the tunnel. If the tunnel interfaces are in a different subnet, you must define a route the VPN server default gateway router uses to forward traffic destined for the tunnel interface, and traffic destined for the wireless clients to the VPN server mgt0 interface. |
| Client Tunnel IP Address Pool End | Type the IP address at the end of the range of IP addresses in the address pool. |
| Client Tunnel IP Address Pool Netmask | Type the netmask that defines the subnet to which the tunnel interfaces belong. |
| Device VPN Client DNS Server | Select the DNS server IP address or host name object that VPN
clients use to resolve domain names, or select  to define a new one. |
| User Profiles for
Traffic Management ExtremeCloud IQ displays a list of available user profiles, for which traffic can be forwarded through the Layer 2 IPsec VPN tunnel or forwarded without tunneling. |
|
| VPN Tunnel Mode | In the VPN Tunnel Mode column, select Enable to enable VPN clients to tunnel traffic for specific user profiles. |
| Tunnel All Traffic | To tunnel all client traffic, select Tunnel All Traffic. |
| Split Tunnel | To enable split mode tunneling, select Split Tunnel. |