Configure Advanced Server Options

This task is part of the network policy configuration workflow. Use this task to to configure the Advanced Client Options for a VPN service when you configure Router Settings.

  1. Go to Configure > Network Policies.
  2. Select an existing network policy, and then select Edit, or select Add.
  3. After you save the Policy Details, select 5 Branch Routing.
  4. From the Router Settings menu, select VPN Service.
  5. Select an existing Layer 2 IPsec VPN service and then select Edit, or select Add.
  6. In the Optional Settings section, expand Advanced Server Options.
  7. Configure the IKE Phase 1 Options.
    1. Set the Encryption Algorithm as 3DES (Triple DES, Data Encryption Standard), or AES (Advanced Encryption Standard) with a 128-bit key, a 192-bit key, or a 256-bit key.
    2. Set the Hash Algorithm as MD-5 (Message Digest, version 5) or SHA-1 (Secure Hash Algorithm).
    3. Set the Diffie-Hellman Group for generating a shared key during Phase 1 negotiations to 1, 2, or 5.
    4. Set the phase 1 SA (security association) Lifetime.

      Before the SA expires, the authentication and encryption keys automatically refresh with new ones. You can set it to a different value, from 180 seconds (3 minutes) to 10,000,000 seconds (a very long time).

  8. Configure the IKE Phase 2 Options.

    The options are the same as for Phase 1, except you can choose to not perform a Diffie-Hellman key exchange by selecting No PFS (Perfect Forward Secrecy).

  9. Select Enable peer IKE ID validation to enable VPN clients to validate the IKE ID that the VPN gateway sends them, and choose the type of IKE ID to use.
    When you create a server certificate, you have the option to define one or more of these subject alternative names: IP address, FQDN (fully-qualified domain name), user FQDN. You can use any of them as the IKE ID for the VPN gateway. You can also use the ASN.1 DN (Abstract Syntax Notation One Distinguished Name), which is automatically created by concatenating various values in the certificate— including the common name, different organizational units, and the email address.

    When you update the configured devices with a configuration that includes a VPN services profile that references this server certificate, ExtremeCloud IQ pushes the server certificate and the specified IKE ID type to the VPN gateway. At the same time, ExtremeCloud IQ also pushes the CA certificate, IKE ID type, and IKE ID string to all the VPN clients. In this way, the VPN clients are ready to authenticate the VPN server certificate and its IKE ID when the time comes to do so during IKE negotiations.

  10. Select SAVE, or continue configuring the VPN service.
Next configure Optional Settings > Advanced Client Options, see Configure Advanced Client Options.
9038986-00 Rev AA