Create a VPN Profile element for configuration 3

You must create a custom VPN Profile element to define the settings for VPN clients.

Note: This basic configuration scenario does not explain all settings related to authenticating VPN client users.

  For more details about the product and how to configure features, click Help or press F1.


  1. Select Configuration, then browse to SD-WAN.
  2. In the element tree, browse to Other Elements > Profiles > VPN Profiles.
    The defined VPN Profiles are displayed.
  3. Right-click VPN-A Suite and select New > Duplicate.
    The settings from the default profile are copied into the VPN Profile Properties dialog box that opens.
  4. In the Name field, enter a unique name.
  5. On the IKE SA tab, configure the IKE SA settings.
    1. In the Version drop-down list, select the IKE version.
      You can select IKEv1, IKEv2, or both. If both versions are selected, IKEv2 is tried first in the negotiations, and IKEv1 is only used if the remote gateway does not support IKEv2.
    2. (Only if IKEv1 is selected) Make sure IKEv1 Negotiation Mode is set to Main.
      Using Main mode helps guarantee that the user names and passwords of the VPN client users remain confidential.
    Note: The restricted (-R) product version has no strong encryption algorithms.
  6. On the IPsec Client tab, configure the VPN client settings.
    1. Make sure that the Authentication Method is set to RSA Signatures.
    2. Select Allow Hybrid/EAP Authentication.
      Hybrid authentication is used with IKEv1. EAP (Extensible Authentication Protocol) is used with IKEv2.
    3. Make sure IPsec Security Association Granularity for Tunnel Mode is set to SA Per Net.
  7. Click OK.