You must create a custom VPN Profile element to define the settings for VPN clients.
Note: This configuration scenario does not explain all settings related to authenticating VPN client users.
For more details about the product and how to configure features, click Help or press F1.
Steps
-
Select Configuration, then browse to SD-WAN.
-
In the element tree, browse to
.
-
Right-click Suite-B-GCM-128 and select .
The settings from the default profile are copied into the VPN Profile Properties dialog box that opens.
-
In the
Name field, enter a unique name.
-
On the
IKE SA tab, configure the IKE SA settings.
-
In the
Version drop-down list, select the IKE version.
You can select
IKEv1,
IKEv2, or both. If both versions are selected, IKEv2 is tried first in the negotiations, and IKEv1 is only used if the remote gateway does not support IKEv2.
-
(Only if IKEv1 is selected) Make sure
IKEv1 Negotiation Mode is set to
Main.
Using Main mode helps guarantee that the user names and passwords of the VPN client users remain confidential.
-
On the
IPsec Client tab, configure the VPN client settings.
-
Make sure that the
Authentication Method is set to
RSA Signatures.
-
Select
Allow Hybrid/EAP Authentication.
Hybrid authentication is used with IKEv1. EAP (Extensible Authentication Protocol) is used with IKEv2.
-
Make sure
IPsec Security Association Granularity for Tunnel Mode is set to
SA Per Net.
-
Click
OK.
Next steps
Create a Policy-Based VPN element.