Brocade Mobility RFS Controller System Reference Guide (Supporting software release 5.5.0.0 and later) User Manual

Brocade Mobility RFS Controller System Reference Guide

493

53-1003099-01

8

Set the following IKEV2 Settings:

Select OK to save the updates made to the screen. Selecting Reset reverts the screen to its last
saved configuration.

Setting the Profile’s Auto IPSec Tunnel Configuration

Profile Security Configuration

Auto IPSec tunneling provides a secure tunnel between two networked peer controllers or service
platforms and associated Access Points. Administrators can define which packets are sent within
the tunnel, and how they’re protected. When a tunnelled peer sees a sensitive packet, it creates a
secure tunnel and sends the packet through the tunnel to its remote peer destination or associated
Access Point

Tunnels are sets of security associations (SA) between two peers. SAs define the protocols and
algorithms applied to sensitive packets and specify the keying mechanisms used by tunnelled
peers. SAs are unidirectional and exist in both the inbound and outbound direction. SAs are
established per the rules and conditions of defined security protocols (AH or ESP).

Internet Key Exchange (IKE) protocol is a key management protocol standard used in conjunction
with IPSec. IKE enhances IPSec by providing additional features, flexibility, and configuration
simplicity for the IPSec standard. IKE enables secure communications without time consuming
manual pre-configuration for auto IPSec tunneling.

To define an Auto IPsec Tunnel configuration that can be applied to a profile:

1. Select the Configuration tab from the Web UI

2. Select Profiles from the Configuration tab.

3. Select Manage Profiles from the Configuration > Profiles menu.

DPD Retries

Use the spinner control to define the number of keep alive messages sent to an IPSec VPN
client before the tunnel connection is defined as dead. The available range is from 1 - 100.
The default number of messages is 5.

NAT KeepAlive

Define the interval (or frequency) for NAT keep alive messages for dead peer detection.
Options include Seconds (10 - 3,600), Minutes (1 - 60) and Hours (1). The default setting is
20 seconds.

DPD KeepAlive

Define the interval (or frequency) for IKE keep alive messages for dead peer detection.
Options include Seconds (10 - 3,600), Minutes (1 - 60) and Hours (1). The default setting is
30 seconds.

DPD Retries

Use the spinner control to define the number of keep alive messages sent to an IPSec VPN
client before the tunnel connection is defined as dead. The available range is from 1 - 100.
The default number of messages is 5.

NAT KeepAlive

Define the interval (or frequency) for NAT keep alive messages for dead peer detection.
Options include Seconds (10 - 3,600), Minutes (1 - 60) and Hours (1). The default setting is
20 seconds.

Cookie Challenge
Threshold

Use the spinner control to define the number of half open IKE security associations (SAs)
(from 1 - 100) that, when exceeded, enables the cookie challenge mechanism. The is
setting applies exclusively to IKEV2. The default setting is 5.

Crypto NAT Pool

Select the NAT pool used for internal source NAT on IPSec tunnels. NAT is used as an IP
masquerading technique to hide private IP addresses behind a single, public facing, IP
address.