Configure Layer 2 VPN Services

Layer 2 IPsec VPN is a logical extension of the Layer 2 broadcast domain across an IPsec VPN tunnel. After configuration, it is available for use in multiple network policies. Use this task to configure a new Layer 2 IPsec VPN service. To configure a Layer 3 IPsec VPN service, see Configure Layer 3 VPN Services.

  1. Select the add icon.
  2. Enter a name for the service.
  3. Enter an optional description.
  4. Select either Single Device VPN Server or Redundant Device VPN Server.
    If you selected Single Device VPN Server, continue with the next step. If you selected Redundant Device VPN Server, proceed to Step 13.
  5. If you selected Single Device VPN Server, select an AP with Layer 2 IPsec VPN services enabled from the drop-down list.
  6. Server Public IP Address is auto-filled based on the selected VPN server settings, but to change it, enter the IP address of the VPN server that VPN clients can reach across the network.
    1. If the VPN server is behind a NAT device, enter the address of the MIP address on the NAT device.
    2. If there is no NAT device in front of the VPN server, enter the server's mgt0 address, which is the same address as that in the next field.
  7. Server MGT0 IP Address is auto-populated and is read-only.
  8. Server MGT0 Default Gateway is auto-populated and is read-only.
  9. Enter the first IP address of a range of addresses that the VPN server assigns to tunnel interfaces on VPN clients during the Xauth phase of tunnel setup.
    Best practice suggests putting this address pool in the same subnet as the VPN server mgt0 interface, and the same subnet as the addresses that the DHCP server assigns to wireless clients through the tunnel. If the tunnel interfaces are in a different subnet, you must define a route the VPN server default gateway router uses to forward traffic destined for the tunnel interface, and traffic destined for the wireless clients to the VPN server mgt0 interface.
  10. Enter the IP address at the end of the range of IP addresses in the address pool.
  11. Enter the netmask that defines the subnet to which the tunnel interfaces belong.
  12. Select the DNS server IP address or host name that VPN clients use to resolve domain names on the VPN server network.
    If you do not see the object you want, select the add icon and add a new one.
  13. If you selected Redundant Device VPN Server in Step 4, enter the following information for Device VPN Server 1 and Device VPN Server 2:
    • Device VPN Server: Select an AP with Layer 2 IPsec VPN services enabled from the drop-down list.
    • Server Public IP Address: Auto-filled from the selected VPN server settings; editable.
    • Server MGT0 IP Address: Auto-filled from the selected VPN server settings; read-only.
    • Server MGT0 Default Gateway: Auto-filled from the selected VPN server settings; read-only.
    • Client Tunnel IP Address Pool Start: Enter the first IP address for the client pool.
    • Client Tunnel IP Address Pool End: Enter the last IP address for the client pool.
    • Client Tunnel IP Address Pool Netmask: Enter the netmask for the client pool of IP addresses.
    Note

    Note

    The VPN client IP address pools for redundant VPN servers can be in the same subnet or different subnets. However, the address pools must not overlap. If there is overlap, VPN clients can receive duplicate IP address assignments.
  14. For Device VPN Client DNS Server, choose the DNS server IP address or host name object that VPN clients use to resolve domain names, or select the add icon to define a new one.
  15. For User Profiles for Traffic Management, select Enabled in the VPN Tunnel Mode column to enable VPN clients to tunnel traffic for specific user profiles.
    ExtremeCloud IQ displays a list of user profiles whose traffic can be forwarded through the Layer 2 IPsec VPN tunnel or forwarded without tunneling.
    1. After enabled, to tunnel all client traffic, select Tunnel All Traffic.
    2. To enable split mode tunneling, select Split Tunnel.
  16. For IPsec VPN Authority Settings, see Configure IPsec VPN Authority Settings.
  17. For Server-Client Credentials, see About Server-Client Credentials.
  18. For Advanced Server Options, see Configure Advanced Server Options.
  19. For Advanced Client Options, see Configure Advanced Client Options.