crypto-local ipsec-map

client-mode [|]

disable

dst-net | any

dst-net-ipv6

enrolled-cert-auth

factory-cert-auth

force-natt {enable|disable}

force-tunnel-mode

ip access-group {ip | session-acl }

ip-compression {enable|disable}

load-balance

local-fqdn

monitor

no ...

peer-cert-dn

peer-fqdn {any-fqdn|peer-fqdn }

peer-ip

peer-ipv6

pre-connect {disable|enable}

set ca-certificate

设置ike1-policy < policy-v1-number >

set ikev2-policy

set pfs {group1|group2|group14|group19|group20}

set security-association lifetime kilobytes

set security-association lifetime seconds

set server-certificate

set transform-set [] [] []

src-net vlan | any

src-net-ipv6

trusted {enable|disable}

上行故障转移{启用|禁用}

version {v1|v2}

vlan

Description

This command configures IPsec mapping for site-to-site VPNs.

You can useMobility Conductorinstead of VPN concentrators to connect sites at different physical locations.

You can configure separate CA and server certificates for each site-to-site VPN. You can also configure the same CA and server certificates for site-to-site VPN and client VPN. Use theshow crypto-local ipsec-mapcommand to display the certificates associated with all configured site-to-site VPN maps; use thetag option to display certificates associated with a specific site-to-site VPN map.

Mobility Conductorsupports site-to-site VPNs with two statically addressedmanaged device, or with one static and one dynamically addressedmanaged device. By default, site-to-site VPN uses IKE Main-mode with Pre-Shared-Keys to authenticate the IKE SA. This method uses the IP address of the peer, and therefore will not work for dynamically addressed peers.

To support site-site VPN with dynamically addressed devices, you must enable IKE Aggressive-Mode with Authentication based on a Pre-Shared-Key. Amanaged devicewith a dynamic IP address must be configured to be the initiator of IKE Aggressive-mode for Site-Site VPN, while themanaged devicewith a static IP address must be configured as the responder of IKE Aggressive-mode.

IKEv2 site-to-site VPNs betweenMobility Conductorand7000 SeriesMobility Conductorsupport traffic compression between those devices. When this hardware-based compression feature is enabled, the quality of unencrypted traffic (such as Skype4b or Voice traffic) is not compromised by increased latency or decreased throughput.

Parameter	Description
	Name of the IPsec map.
	Priority of the entry. Range:1-9998
client-mode [\|]	Enables client-mode where: natenables nat mode with any and any. networkenables network mode
dst-net	IP address and netmask for the destination network.
disable	Disables an existing IPsec map. New maps are enabled by default.
dst-net \| any	IP address and netmask for the destination network.
dst-net-ipv6	IPv6 address and netmask for the destination network.
enrolled-cert-auth	Enables the enrolled certificate authentication for site-to-site tunnel.
factory-cert-auth	Enables factory certificate authentication for site-to-site VPNs. Default:Disabled
force-natt	Include this parameter to always enforce UDP 4500 for IKE and IPsec. This option is disabled by default. Default:Disabled
force-tunnel-mode	Configures the force-tunnel-mode flag.
ip access-group	Configures the IP access group name.
ip	Attaches a route ACL to the IPsec map for a site-to-site VPN. When you associate a routing ACL to inbound traffic on aMobility Conductorterminating a site-to-site VPN, that ACL can forward traffic as normal, route traffic to a nexthop router on a nexthop list, or redirect traffic over an L3 GRE tunnel or tunnel group. For more information on creating a routing ACL, seeip access-list route.
session-acl	Configures session ACL on IPsec map.
ip-compression	Enable compression for traffic in an IKEv2 site-to-site tunnel between a master /conductor and local7000 SeriesMobility Conductor. Compression is disabled by default. Default:Disabled
ipsec-mtu	Configures the IPsec MTU of the security association (SA).
load-balance	Enable VPN load balancing for any tunnel. Default:Disabled
local-fqdn	If themanaged devicehas a dynamic IP address, you must specify the FQDN of themanaged deviceto configure it as a initiator of IKE aggressive-mode.
monitor interval	Configure link monitor where is IP address of monitor server. interval is optional interval in seconds.
no	Negates a configured parameter.
peer-cert-dn	If you are using IKEv2 to establish a site-to-site VPN to a statically addressed remote peer, identify the peer device by entering its certificate subject name in the Peer Certificate Subject Name field.
peer-fqdn	For site-to-site VPNs with dynamically addressed peers, specify a FQDN for themanaged device: any-fqdn: Any remote FQDN ID fqdn-id: Unique remote FQDN ID Default:any-fqdn
peer-ip	If you are using IKEv1 to establish a site-to-site VPN to a statically addressed remote peer, identify the peer device by entering the IP address of the peer gateway. NOTE:If you are configuring an IPsec map for a static-ipmanaged devicewith a dynamically addressed remote peer, you must leave the peer gateway set to its default value of 0.0.0.0.
peer-ipv6	If you are using IKEv1 to establish a site-to-site VPN to a statically addressed remote peer, identify the peer device by entering the IPv6 address of the peer gateway. NOTE:If you are configuring an IPsec map for a static-ipmanaged devicewith a dynamically addressed remote peer, you must leave the peer gateway set to its default value.
pre-connect	Enables or disables pre-connection. Default:disabled
set ca-certificate	User-defined name of a trusted CA certificate installed on theMobility Conductor. Use the`show crypto-local pki TrustedCA`command to display the CA certificates that have been imported into theMobility Conductor. The CA certificate name must be between 1-64 characters in length. Range:1-64 characters
设置ike1-policy < policy-v1-number >	Select an IKEv1 policy for the ipsec-map. Predefined policies are described in the table below.
set ikev2-policy	Select IKEv2 policy for the ipsec-map. Predefined policies are described in the table below.
set pfs	If you enable Perfect Forward Secrecy (PFS) mode, new session keys are not derived from previously used session keys. Therefore, if a key is compromised, that compromised key will not affect any previous session keys. To enable this feature, specify one of the following Perfect Forward Secrecy modes: group1: 768-bit Diffie Hellman prime modulus group. group2: 1024-bit Diffie Hellman prime modulus group. group14: 2048-bit Diffie Hellman prime modulus group. group19: 256-bit random Diffie Hellman ECP modulus group. (For IKEv2 only) group20: 384-bit random Diffie Hellman ECP modulus group. (For IKEv2 only) Default:disabled
set security-association lifetime kilobytes	Configures the lifetime for the security association (SA) in kilobytes. Range:1000 - 1000000000 kilobytes
set security-association lifetime seconds	Configures the lifetime for the security association (SA) in seconds. Range:300-86400 seconds Default:7200 seconds
set server-certificate	User-defined name of a server certificate installed for the site-to-site IPsec map. Use the`show crypto-local pki ServerCert`command to display the server certificates that have been imported into theMobility Conductor. The server certificate name must be between 1-64 characters in length. Range:1-64 characters
set transform-set [] [] []	Name of the transform set for this IPsec map. One transform set name is required, but you can specify up to four transform sets. Configure transform sets with the`crypto ipsec transform-set`command. Default:transform
src-net \| any	IP address and netmask for the source network.
src-net-ipv6	IPv6 address and netmask for the source network.
trusted	Enables a trusted tunnel. NOTE:Thetrusted sub-parameter is not supported on themanaged device. You must always use thetrusted sub-parameter so that the traffic can pass through. Default:disabled
uplink failover	Enables or disables uplink failover for site-to-site tunnels. Default:disabled
version	Select the IKE version for the IPsec map. v1: IKEv1 v2: IKEv2 Default:v1
vlan	VLAN ID. Enter 0 for the loopback, and 4095 for cellular. Range:1-4094

Understanding Default IKE policies

ArubaOSincludes the following default IKE policies. These policies are predefined and cannot be edited.

选项卡le 1:Default IKE Policy Settings
Policy Name	Policy Number	IKE Version	Encryption Algorithm	Hash Algorithm	Authentica-tion Method	PRF Method	Diffie -Hellman Group
Default protection suite	10001	IKEv1	3DES-168	SHA 160	Pre-Shared Key	N/A	2 (1024 bit)
Default Remote AP Certificate protection suite	10002	IKEv1	AES -256	SHA 160	RSA Signature	N/A	2 (1024 bit)
Default Remote AP PSK protection suite	10003		AES -256	SHA 160	Pre-Shared Key	N/A	2 (1024 bit)
默认远程美联社IKEv2 RSA保护套件	1004	IKEv2	AES -256	SSHA160	RSA Signature	hmac-sha1	2 (1024 bit)
Default Cluster PSK protection suite	10005	IKEv1	AES -256	SHA160	Pre-Shared Key	Pre-Shared Key	2 (1024 bit)
Default IKEv2 RSA protection suite	1006	IKEv2	AES - 128	SHA 96	RSA Signature	hmac-sha1	2 (1024 bit)
Default IKEv2 PSK protection suite	10007	IKEv2	AES - 128	SHA 96	Pre-shared key	hmac-sha1	2 (1024 bit)
Default Suite-B 128bit ECDSA protection suite	10008	IKEv2	AES - 128	SHA 256-128	ECDSA-256 Signature	hmac-sha2-256	Random ECP Group (256 bit)
Default Suite-B 256 bit ECDSA protection suite	10009	IKEv2	AES -256	SHA 384-192	ECDSA-384 Signature	hmac-sha2-384	Random ECP Group (384 bit)
Default Suite-B 128bit IKEv1 ECDSA protection suite	10010	IKEv1	AES-GCM-128	SHA 256-128	ECDSA-256 Signature	hmac-sha2-256	Random ECP Group (256 bit)
Default Suite-B 256‑bit IKEv1 ECDSA protection suite	10011	IKEv1	AES-GCM-256	SHA 256-128	ECDSA-256 Signature	hmac-sha2-256	Random ECP Group (256 bit)

When using a default IKE (V1 or V2) policy for an IPsec map, the priority number should be the same as the policy number.

Examples

The following commands configures site-to-site VPN between twomanaged devices:

(host) [mynode] (config) #crypto-local ipsec-map sf-chi-vpn 100

src-net 101.1.1.0 255.255.255.0

dst-net 100.1.1.0 255.255.255.0

peer-ip 172.16.0.254

vlan 1

trusted

(host) [mynode] (config) #crypto-local ipsec-map chi-sf-vpn 100

src-net 100.1.1.0 255.255.255.0

dst-net 101.1.1.0 255.255.255.0

peer-ip 172.16.100.254

vlan 1

trusted

For a dynamically addressedmanaged devicethat initiates IKE Aggressive-mode for Site-Site VPN:

(host) [mynode] (config) #crypto-local ipsec-map

src-net

dst-net

peer-ip

local-fqdn

vlan

pre-connect{enable|disable}

trustedenable

For the Pre-shared-key:

crypto-local isakmp key address netmask

For a static IPmanaged devicethat responds to IKE Aggressive-mode for Site-Site VPN:

(host) [mynode] (config) #crypto-local ipsec-map

src-net

dst-net

peer-ip 0.0.0.0

peer-fqdn fqdn-id

vlan

trusted enable

For the Pre-shared-key:

crypto-local isakmp key fqdn

For a static IPmanaged devicethat responds to IKE Aggressive-mode for Site-Site VPN with One PSK for All FQDNs:

(host) [mynode] (config) #crypto-local ipsec-map

src-net

peer-ip 0.0.0.0

peer-fqdn any-fqdn

vlan

trusted enable

For the Pre-shared-key for All FQDNs:

crypto-local isakmp key fqdn-any

The following example displays the use of extended scope of address range:

(host) [mynode] (config) #crypto-local ipsec-map sparta2vesuvius 100

version v2

set ikev2-policy 10009

peer-ipv6 2004::1

peer-cert-dn "/C=US/ST=HI/L=Camp Smith/O=PACOM/OU=mil/CN=vesuvius.red1.vpn/emailAddress=admin@pacom.mil"

vlan 202

src-net-ipv6 2012:: 64

dst-net-ipv6 2014:: 64

set transform-set "default-gcm256"

set pfs group20

trusted

set ca-certificate red.ca

set server-certificate sparta.red.vpn

Related Commands

Command	Description
show crypto-local ipsec-map	Displays current IPsec map configurations for site-to-site VPNs.
crypto_local isakmp disable-ipcomp	Globally disables IP compression on all site-to-site VPNs betweenMobility Conductorandmanaged devicesby disabling compression from the master /conductor .

Command History

Release	Modification
ArubaOS8.8.0.0	The`session-acl` sub-parameter was added in the`ip access-group`parameter.
ArubaOS8.2.0.0	The following parameters were added: `enrolled-cert-auth` `force-tunnel-mode` The following parameter was updated: `ip access-group in`
ArubaOS8.1.0.0	The`any`sub-parameter was added in`dst-net`,`src-net`parameters. The following parameters were added: `client-mode` `load-balance` `monitor`
ArubaOS8.0.0.0	Command introduced.

Command Information

Platforms	License	Command Mode
All platforms	Thegroup19andgroup20PFS options requires the Advanced Cryptography (ACR) license. All other parameters are available in the base operating system.	Config mode onMobility Conductor.