Example VPN configuration 3: create a VPN Profile element

You must create a custom VPN Profile element to define the settings for VPN clients.

Note: This configuration scenario does not explain all settings related to authenticating VPN client users.

  For more details about the product and how to configure features, click Help or press F1.

Steps

  1. Select Configuration, then browse to SD-WAN.
  2. In the element tree, browse to Other Elements > Profiles > VPN Profiles.
  3. Right-click Suite-B-GCM-128 and select New > Duplicate.
    The settings from the default profile are copied into the VPN Profile Properties dialog box that opens.
  4. In the Name field, enter a unique name.
  5. On the IKE SA tab, configure the IKE SA settings.
    1. In the Version drop-down list, select the IKE version.
      You can select IKEv1, IKEv2, or both. If both versions are selected, IKEv2 is tried first in the negotiations, and IKEv1 is only used if the remote gateway does not support IKEv2.
    2. (Only if IKEv1 is selected) Make sure IKEv1 Negotiation Mode is set to Main.
      Using Main mode helps guarantee that the user names and passwords of the VPN client users remain confidential.
  6. On the IPsec Client tab, configure the VPN client settings.
    1. Make sure that the Authentication Method is set to RSA Signatures.
    2. Select Allow Hybrid/EAP Authentication.
      Hybrid authentication is used with IKEv1. EAP (Extensible Authentication Protocol) is used with IKEv2.
    3. Make sure IPsec Security Association Granularity for Tunnel Mode is set to SA Per Net.
  7. Click OK.

Next steps

Create a Policy-Based VPN element.