PPTP connections use Microsoft Point-to-Point Encryption (MPPE), which uses the Rivest-Shamir-Aldeman (RSA) RC-4 encryption algorithm. The server certificate must be imported into the controller, as described in You can assign one or more trusted CA certificates to VPN clients. To use this option, you must have created a NAT pool by navigating to the For XAuth clients, the Phase 1 IKE exchange can be either Main Mode or Aggressive Mode. Configuration rules include:A RAP-psk and RAP-cert can only terminate on the same controller if the RAP VPN profile’s AAA server uses Local-db.If a RAP-psk is using an external AAA server, then the RAP-cert cannot be terminated on the same controller.Clients can use any type of AAA server irrespective of RAP/CAP authentication configuration server.Computer-level authentication with a preshared key to create the IPsec security associations (SAs) to protect the L2TP-encapsulated data.User-level authentication through a PPP-based authentication protocol using passwords, SecureID, digital certificates, or smart cards after successful creation of the SAs.Use the following procedures to use the WebUI to configure a remote access VPN for L2TP IPsec. Use dedicated form factors with added wired ports – or any Aruba AP.Complete your IAP-VPN, Aruba VIA and RAP deployments with an Aruba gateway or controller set-up as a VPN concentrator (VPNC). Make sure that the group name matches the group name configured in the VPN client software.You can specify a single server certificate for VPN clients. In case the Arubadialer is used, these configuration need to be made on the dialer prior to downloading the dialer onto the local client. Make sure that this key matches the key on the client.The IKE policy selections, along with the preshared key, need to be reflected in the VPN client configuration. Renewable 2x up to 90 days.Strengthen your contingency and business continuity plans with this limited-time Remote Access Point (RAP) license offer.


Here, the VPN tunnels from the Instant APs terminate on the Aruba Mobility Controller . The client is authenticated with the internal database on the controller.On the controller, you need to configure the following:Entries for Cisco VPN XAuth clients in the controller’s internal databaseFor each client, you need to create an entry in the internal database with the entire Principal name (SubjectAltname in X.509 certificates) or Common Name as it appears on the certificate.VPN authentication default profile which defines the internal authentication server group and the default role assigned to authenticated clientsDisable XAuth to disable prompting for the username and password (user credentials are extracted from the smart card)Server certificate to authenticate the controller to clientsYou must install server and CA certificates in the controller, as described in IKE policy for RSA (certificate-based) authentication of the SAThe following procedure describes the steps to configure VPN for Cisco Smart Card Clients via the WebUI:Next, configure client entries in the internal database:The following procedure describes the steps to configure VPN for Cisco Smart Card Clients via the CLI:Enter the following command in enable mode to configure client entries in the internal database:local-userdb add username password This section describes how to configure a remote access VPN on the controllerfor Cisco VPN XAuth clients using passwords. The trusted CA certificate must be imported into the controller, as described in You can configure a global IKE key or configure an IKE key for each subnet. ppp authentication {cache-securid|chap|eap|mschap|mschapv2|pap}This section describes how to configure a remote access VPN on the controllerfor Microsoft L2TP/IPsec clients with smart cards. Aruba controllers can use IKEv1 or IKEv2 to establish a site-to-site VPN between another Aruba controller or between that controller and third-party remote client devices. (A smart card contains a digital certificate which allows user-level authentication without the user entering a username and password.) In case the Arubadialer is used, these configuration need to be made on the dialer prior to downloading the dialer onto the local client.Use the following procedures to use the command-line interface to configure a remote access VPN for L2TP IPsec. And take advantage of unified policy enforcement and role-based access control. strongSwan® 4.3 devices can use IKEv2 to support authentication using RSA or ECDSA certificates, Suite-B … As described previously in this section, L2TP/IPsec requires two levels of authentication: first, IKE SA authentication, and then user-level authentication with the PAP authentication protocol. IKE SA is authenticated with a preshared key, which you must configure as an IKE shared secret on the controller. You can configure the controller for the following types of VPNs: Remote access VPNs allow hosts (for example, telecommuters or traveling employees) to connect to private networks (for example, a corporate network) over the Internet. All traffic for the other network is sent and received through a VPN gateway which encapsulates and encrypts the traffic.Before enabling VPN authentication, you must configure the following:The default user role for authenticated VPN clients. PPTP connections require user-level authentication through a PPP-based authentication protocol (MSCHAPv2 is the currently-supported method).An Arubacontroller supports the following IKE SA authentication methods for site-to-site VPNs:Preshared key: the same IKE shared secret must be configured on both the local and remote sites.Certificate-based authentication is only supported for site-to-site VPN between two controllerswith static IP addresses.ArubaOSsupports site-to-site VPNs with two statically addressed controllers, or with one static and one dynamically addressed controller.