Home > GUI > Configuration > VPN Service
|
VPN Service
Enable VPN service and add VPN service configuration objects.
Navigate using the tab icons. Hover over an icon to see the name of the tab.
Configure > Network Policies > policy_name > Router Settings > VPN Service
Layer 3 IPsec VPN tunnels securely send traffic between Extreme Networks routers and one or two Extreme Networks VGVAs (VPN Gateway Virtual Appliances). Each router functions as a VPN initiator and does a route look up to determine whether to send traffic from hosts in its sub-network through an IPsec tunnel to destinations in different subnets on the other side of the gateway, which functions as a VPN terminator. When using a hub-and-spoke design, the destination might lie on the other side of a second tunnel that connects the Layer 3 VPN gateway to another router at a different remote site. ExtremeCloud IQ applies Layer 3 IPsec VPNs to routers and Layer 3 VPN gateways through a network policy that supports routing.
To enable Layer 3 VPN service in a network policy that supports routing:
VPN Service is part of a longer configuration workflow that you can see outlined in the section below.
This table lists the configuration steps for SD-WAN with the corresponding Help topics for more information:
| Step | Description | Corresponding Help Topic |
|---|---|---|
| 1 |
Add routers and VGVAs (VPN Gateway Virtual Appliances) to the VHM. |
|
| 2 |
Create a network policy with routing enabled. |
Network Policies |
| 3 |
Configure device, port, and routing policy settings for the VGVA by navigating to Manage > Devices > vgva_name and editing the Device Configuration, Port Configuration, and Routing Policy sections. |
|
| 4 |
In the network policy, create a device template for the router. |
|
| 5 |
Create a VPN service for the network policy. |
VPN Service |
| 6 |
Configure network allocation with new subnetworks and corresponding VLANs for routers to use at branch sites. |
|
| 7 |
Use a predefined Layer 7 application set, or create and use a custom application set when configuring SD-WAN routing policy rules. |
Application Sets |
| 8 |
Enable SD-WAN and configure an SD-WAN route group. This group sets a priority of your WAN links when using a VPN service to connect to a specified VPN gateway, and also allows you to configure aggressive, normal, or moderate responses to operational faults, including jitter, packet loss, and latency. |
|
| 9 |
Create a routing policy that routes traffic from the router subnets through the WAN interface to the public network or through a VPN tunnel to the corporate network or data center based on Layer 7 applications, incoming LAN interfaces, source and destination addresses, and user profiles. |
Routing Policy |
| 10 |
Put the VGVAs online and upload the configuration from ExtremeCloud IQ to them. |
Upload a Configuration |
| 11 |
Add the network policy (with routing and SD-WAN enabled) to an auto provisioning profile for the routers so that when they connect to ExtremeCloud IQ, they automatically receive their configuration. Distribute the devices to the branch sites with instructions to put them on the network. After the devices connect to ExtremeCloud IQ and automatically receive their configuration, they will reboot and then reconnect to ExtremeCloud IQ and become operational. |
Auto Provisioning Settings |
Copyright © 2020 Extreme Networks. All rights reserved. Published March 2020.