Layer 2 IPsec VPN is a logical extension of the Layer 2 broadcast domain across an
IPsec VPN tunnel. After configuration, it is available for use in multiple network
policies. Use this task to configure a new Layer 2 IPsec VPN service. To configure a
Layer 3 IPsec VPN service, see Configure Layer 3 VPN Services.
-
Select the add icon.
-
Enter a name for the service.
-
Enter an optional description.
-
Select either Single Device VPN Server or
Redundant Device VPN Server.
If you selected Single Device VPN
Server, continue with the next step. If you selected Redundant Device VPN
Server, proceed to Step 13.
-
If you selected Single Device VPN
Server, select an AP with Layer 2 IPsec VPN services enabled
from the drop-down list.
-
Server Public IP
Address is auto-filled based on the selected VPN server
settings, but to change it, enter the IP address of the VPN server that VPN
clients can reach across the network.
-
If the VPN server is behind a NAT device, enter the address of the MIP
address on the NAT device.
-
If there is no NAT device in front of the VPN server, enter the
server's mgt0 address, which is the same address as that in the next
field.
-
Server MGT0 IP Address is auto-populated and is
read-only.
-
Server MGT0 Default Gateway is auto-populated and is
read-only.
-
Enter the first IP address of a range of addresses that the VPN server assigns
to tunnel interfaces on VPN clients during the Xauth phase of tunnel
setup.
Best practice suggests putting this address pool in the same subnet as the VPN
server mgt0 interface, and the same subnet as the addresses that the DHCP server
assigns to wireless clients through the tunnel. If the tunnel interfaces are in
a different subnet, you must define a route the VPN server default gateway
router uses to forward traffic destined for the tunnel interface, and traffic
destined for the wireless clients to the VPN server mgt0 interface.
-
Enter the IP address at the end of the range of IP addresses in the address
pool.
-
Enter the netmask that defines the subnet to which the tunnel interfaces
belong.
-
Select the DNS server IP address or host name that VPN clients use to resolve
domain names on the VPN server network.
If you do not see the object you want, select the add icon and add a new
one.
-
If you selected Redundant Device VPN Server in Step 4,
enter the following information for Device VPN Server 1
and Device VPN Server 2:
- Device VPN Server: Select an AP with Layer 2
IPsec VPN services enabled from the drop-down list.
- Server Public IP Address: Auto-filled from the
selected VPN server settings; editable.
- Server MGT0 IP Address: Auto-filled from the
selected VPN server settings; read-only.
- Server MGT0 Default Gateway: Auto-filled from the
selected VPN server settings; read-only.
- Client Tunnel IP Address Pool Start: Enter the
first IP address for the client pool.
- Client Tunnel IP Address Pool End: Enter the last
IP address for the client pool.
- Client Tunnel IP Address Pool Netmask: Enter the
netmask for the client pool of IP addresses.
Note
The VPN client IP address pools for redundant VPN servers can be in the
same subnet or different subnets. However, the address pools must not
overlap. If there is overlap, VPN clients can receive duplicate IP address
assignments.
-
For Device VPN Client DNS
Server, choose the DNS server IP address or host name object
that VPN clients use to resolve domain names, or select the add icon to define a
new one.
-
For User Profiles for Traffic Management, select
Enabled in the VPN Tunnel Mode column to enable VPN
clients to tunnel traffic for specific user profiles.
ExtremeCloud IQ displays a list of user profiles whose traffic can be
forwarded through the Layer 2 IPsec VPN tunnel or forwarded without tunneling.
-
After enabled, to tunnel all client traffic, select Tunnel
All Traffic.
-
To enable split mode tunneling, select Split
Tunnel.
-
For IPsec VPN Authority Settings, see Configure IPsec VPN Authority Settings.
-
For Server-Client Credentials, see About Server-Client Credentials.
-
For Advanced Server Options, see Configure Advanced Server Options.
-
For Advanced Client Options, see Configure Advanced Client Options.