Profile Overrides - VPN

About this task

VPN can be overridden by using either the inbuilt wizards or by manually configuring the required parameters. This section describes how to use the inbuilt wizards to override the VPN parameters. The user interface provides two (2) wizards that provide different levels of configuration.

Procedure

  1. Go to Configuration → Devices → Device Overrides.

    The Device Overrides screen displays. This screen lists devices within the managed network.

  2. Select an access point.

    The selected access point's configuration menu displays.

  3. Expand Profile Overrides → Security and select VPN.

    The selected access point's Security configuration screen displays, with the VPN option selected by default.

    Click to expand in new window
    Profile Overrides - Security - VPN Configuration Screen
    GUID-B3465B81-F820-4A85-95BB-B119A5500A25-low.png
    The following options are available:
    • Quick Setup - Use this wizard to setup basic VPN Tunnel on the device. This wizard is aimed at novice users and enables them to setup a basic VPN with minimum effort. This wizard uses default values for most of the parameters.

      Note

      Note

      This option is selected by default. If you wish to use any of the other options on this screen, select the option and click Start.

    • Step-by-Step wizard - Use this wizard to setup a VPN Tunnel step by step. This wizard is aimed at intermediate users who require the ability to customize some of the parameters.

    • Advanced Configuration - Use this option to configure the VPN parameters manually.

  4. Click Start to launch the Quick Setup wizard.

    The Quick Setup wizard creates a VPN connection with minimum manual configuration. Default values are retained for most of the parameters.

    The quick setup screen displays.

    Click to expand in new window
    VPN Quick Setup Wizard Screen
    GUID-02A031D5-B7A2-4198-AA0B-EBF6A3BF0841-low.png
  5. Provide the following VPN tunnel configurations:

    Tunnel Name

    Provide a name for the tunnel. Tunnel name must be such that it easily identifies the tunnel uniquely.

    Tunnel Type

    Configure the tunnel type as one of the following:
    • Site-to-Site – Select to create a secured connection between two sites.

    • Remote Access – Provides access to a network to remote devices.

    Select Interface

    Configure the interface for creating the tunnel. The following options are available:
    • VLAN – Select to configure tunnel over a Virtual LAN interface. Use the spinner to configure the VLAN number.

    • WWAN – Select to configure tunnel over the WWAN interface.

    • PPPoE – Select to configure tunnel over the PPPoE interface

    Traffic Selector (ACL)

    Configure ACLs that manage the traffic passing through the VPN Tunnel.
    • Source – Provide the source network along with its mask.

    • Destination – Provide the destination network along with its mask.

    Note:

    Click Add Rule to add the rule into the ACL.

    Peer

    Configure the peer for this tunnel. The peer device can be specified either by its hostname or IP address.

    Authentication

    Configure the authentication used to identify peers. The options are:
    • Certificate – Select to apply certificate-base peer authentication.

    • Pre-Shared Key – Select to enforce pre-shared key based peer authentication. If selecting this option, provide the PSK in the associated field.

    Local Identity

    Configure the local identity used with peer configuration for an IKE exchange with the target VPN IPSec peer. Options include:
    • IP Address

    • FQDN

    • Email

    The default setting is IP Address.

    Remote Identity

    Configure the access point remote identifier for an IKE exchange with the target VPN IPSec peer. The options include:
    • IP Address

    • FQDN

    • Email

    The default setting is IP Address.

    IKE Policy

    Configure the IKE policy to use. IKE is used to exchange authentication keys. The options are:
    • All – Select to use any IKE policy.

    • IKE1 – Select to only use IKE 1.

    • IKE2 – Select to only use IKE 2.

    Transform Set

    Configure the transform set used to specify how traffic is protected within the crypto ACL defining the traffic that needs to be protected. Select the appropriate traffic set from the drop-down menu.

  6. Click Save to save the VPN Tunnel configuration.

    To exit without saving, click Cancel.

  7. Select the Step-By-Step Wizard option, and click Start to launch the wizard.

    The Step-By-Step wizard creates a VPN connection with more manual configuration than the Quick Setup Wizard. Use this wizard to manually configure Access Control Lists, IKE Policy, and Transform Sets to customize the VPN Tunnel.

    The Step-by-Step wizard → Basic Configuration (step 1/4) screen displays by default.

    Click to expand in new window
    VPN Basic Configuration Screen Step 1/4
    GUID-C117B26F-648B-4CA2-AE11-BFDD624D5D48-low.png
  8. Provide the following basic configurations:

    Tunnel Name

    Provide a name for the tunnel. Tunnel name must be such that it easily identifies the tunnel uniquely.

    Tunnel Type

    Configure the tunnel type as one of the following:
    • Site-to-Site – Select to create a secured connection between two remote sites.

    • Remote Access – Select to create a tunnel between an user device and a network. In other words, select to provide access to a network to remote devices.

    Interface

    Configure the interface for the tunnel. The options are:
    • VLAN – Select to configure tunnel over a Virtual LAN interface. Use the spinner to configure the VLAN number.

    • WWAN – Select to configure tunnel over the WWAN interface.

    • PPPoE – Select to configure tunnel over the PPPoE interface

    Traffic Selector (ACL)

    This field creates the Access Control List (ACL) that is used to control who uses the network.
    • Source – Provide the source network IP address along with its mask.

    • Destination – Provide the destination network IP address along with its mask.

    Note:

    Click Add Rule to add the rule into the ACL.

  9. Click Next.

    The Step-by-Step Wizard → Remote Configuration Site (step 2/4) screen displays.

    Click to expand in new window
    Remote Configuration Site Step 2/4 Screen
    GUID-1D0EEC49-19E6-409E-B762-D18FEBFB8A16-low.png
  10. Provide the following remote site configuration:

    Peer

    Specify the peer for this device when forming a tunnel. The peer can be identified by it's IP address or hostname.
    • IP Address - Select and specify the peer's IP address in the associated field.

    • Host Name - Select and specify the peer's hostname in the associated field.

    Authentication

    Configure the mode of authentication used by the tunnel peers. The options are:
    • Certificate – Select to apply certificate-base peer authentication.

    • Pre-Shared Key – Select to enforce pre-shared key based peer authentication. If selecting this option, provide the PSK in the associated field.

    Local Identity

    Configure the local identity used with peer configuration for an IKE exchange with the target VPN IPSec peer. Options include:
    • IP Address

    • FQDN

    • Email

    The default setting is IP Address.

    Remote Identity

    Configure the access point remote identifier for an IKE exchange with the target VPN IPSec peer. The options include:
    • IP Address

    • FQDN

    • Email

    The default setting is IP Address.

    IKE Policy

    Configure the IKE policy to use when creating this VPN Tunnel. The following options are available:
    • Use Default – Select this option to use the default IKE profiles. Select one of ike1-default or ike2-default.

    • Create new Policy – Select this option to create a new IKE policy. Select and click Create new Policy button to launch the IKE Policy creation window.

    The default setting is IP Address.
  11. Click the Add Peer button to move the tunnel peer information into the Peer(s) table. This table lists all the peers configured for the VPN Tunnel.
  12. Click Next.

    The Step-by-Step Wizard → IPSec Configuration (step 3/4) screen displays.

    Click to expand in new window
    IPSec Configuration Step 3/4 Screen
    GUID-62D458BF-6E59-43B3-8EE5-2BEB234E0871-low.png
  13. Provide the following configurations:

    Transform Set

    Transform set is a set of configurations exchanged for creating the VPN tunnel and impose a security policy. Use the Transform Set drop-down menu and select one of the following options:
    • default - Select to apply the default, system-provided security policy.

    • Create New Policy - Select to create new security policies. when selected the Encryption, Authentication and Mode fields are enabled.

    • Authentication – The authentication used to identify tunnel peers.

    • Mode – The mode of the tunnel. This is how the tunnel will operate.

    Note:

    Encryption

    Specify the encryption mode used with the tunnel. The options are:
    • esp-null

    • des

    • 3des

    • aes

    • aes-192

    • aes-256

    Authentication

    Specify the authentication mode used to identify tunnel peers. the options are:
    • md5-hmac

    • sha-hmac

    • sha256-hmac

    • aes-xcbc-mac

    This is the method peers authenticate with as the source of the packet to other peers after a VPN Tunnel has been created.

    Mode

    Configure the mode of transport used to transmit packets through the tunnel. The options are:
    • Tunnel – Select this mode when the tunnel is between two routers or servers.

    • Transport – Select this mode when the tunnel is created between a client and a server.

    Security Association

    Configure the lifetime of a SA (security association). Keys and SAs should be periodically renewed to maintain security of the tunnel.
    • Lifetime – Duration in seconds after which the keys should be changed. Set a value in from 500 - 2,147,483,646 seconds. The default value is 3,600 seconds.

    • Data – Select this option to enable data-based IPSec security association. Provide the data threshold for determining the need of Key change. The key is changed after this quantity of data has been encrypted/ decrypted. Set a value from 500 - 2,147,483,646 KBs.

  14. Click Next.

    The Step-by-Step Wizard → Summary (step 4/4) screen displays.

    Click to expand in new window
    Summary Step 4/4 Screen
    GUID-5FE7E694-23C2-41DA-B185-2812E8CFDF9B-low.png
  15. Review the configuration and click Done to create the VPN tunnel.

    Use the Back button to go back to previous screen for making modifications to the configuration. Click Close to close the wizard without creating a VPN Tunnel.

  16. Select the Advanced Configuration option, to configure the VPN parameters manually.

    For detailed information manually configuring the VPN configurations, see Defining Profile VPN Settings.