For Layer 2 IPsec VPN tunnels, all management servers (CAPWAP, Syslog, SNMP, NTP,
RADIUS, Active Directory, and LDAP) should be reachable from the VPN client without
tunneling by default. However, you might want to tunnel some or all management
traffic from the VPN client to servers on the main network. Use this task to specify
which type of management traffic you want VPN clients to send through the tunnel and
which to forward locally.
-
For Management Tunnel
Traffic Options:
Note
Set the following options only when the servers are in a different subnet
from that of the tunnel interface. When they are in the same subnet,
tunneling is automatic. In addition, the IP address/host name objects for
the following servers must have IP address definitions as opposed to host
name definitions.
-
Select ExtremeCloud IQ (CAPWAP) to tunnel all
CAPWAP (Control and Provisioning of Wireless Access Points) traffic from
VPN clients to ExtremeCloud IQ, which is a CAPWAP server.
-
Select Syslog to send log entries to a syslog
server through the VPN tunnel.
-
Select SNMP Traps to send all SNMP traps through
the VPN tunnel to an SNMP management system.
-
Select NTP to tunnel all NTP traffic from VPN
clients to an NTP server.
-
Select RADIUS to tunnel all RADIUS traffic from
VPN clients to a RADIUS authentication server.
-
Select Active Directory to tunnel all traffic
from an Extreme Networks RADIUS authentication server to an Active
Directory server.
-
Select LDAP to tunnel all traffic from a RADIUS
authentication server to an LDAP server.
-
Select Enable NAT Traversal to enable VPN traffic to
traverse NAT devices encountered along its data path.
-
For DPD (Dead Peer Detection) Settings:
The DPD and tunnel heartbeat settings control when to fail over from the
primary to the secondary VPN server. The DPD messages verify the presence of an
IKE peer, and AMRP (Advanced Mobility Routing Protocol) tunnel heartbeats verify
communications through the GRE and VPN tunnel. The failure of either mechanism
can trigger a failover.
-
Set the Heartbeat Interval for sending DPD
R-U-There heartbeat messages from the VPN client to the VPN gateway.
-
Set the number of times to retry sending a DPD R-U-There message when
it does not elicit a response.
-
Set the amount of time between retries.
-
For Tunnel Heartbeat Settings:
-
Set the Interval for sending AMRP heartbeats
through the GRE and VPN tunnel from the VPN client to the VPN
server.
-
Set the number of times to Retry sending a
heartbeat if the VPN server fails to respond.
After a heartbeat fails to elicit a response from the VPN server, the
VPN client retries every second.