ACM VPN Configuration
Rev 3 Nov 17
31
4119855
To provision the tunnel, use the following commands:
set vpn ipsec site-to-site peer any authentication mode
x509
set vpn ipsec site-to-site peer any authentication x509
ca MyCA
set vpn ipsec site-to-site peer any authentication x509
host MyHostCert
set vpn ipsec site-to-site peer any authentication id
"C=CA, ST=BC, O=InMotion, OU=eng, CN=<your common
name>"
set vpn ipsec site-to-site peer any autofirewall yes
set vpn ipsec site-to-site peer any ike-group <groupname>
set vpn ipsec site-to-site peer any local-ip <ACM IP>
set vpn ipsec site-to-site peer any tunnel 1 esp-group
<groupname>
set vpn ipsec site-to-site peer any tunnel 1 local subnet
<0.0.0.0/0 or enterprise subnet>
set vpn ipsec site-to-site peer any tunnel 1 remote-
source-ip <the IP pool>
EAP Authentication
Important:
IPSec VPN IKEv2 EAP authentication is supported only for NCP Client for
Windows connecting with non-FIPS ACMs. It is NOT supported on AirLink gateways/
routers.
If using a non-FIPS ACM, EAP authentication can optionally be used for NCP
Client for Windows.
ACM 1.6 and above support using EAP for IKEv2 to authenticate the client to the
server with EAP-TLS and EAP-MD5.
•
If EAP authentication is selected, then the NCP Client uses a username and
password (or a certificate) to authenticate itself to a RADIUS server inside the
enterprise network.
•
If EAP is not used, then the IKEv2 authentication mode uses a PSK or certif-
icate.
Note: The ACM always authenticates itself to the NCP Client using a pre-shared-key or
certificate.
The following describe the server-side steps to configure EAP authentication. For
client-side configuration, refer to the AirLink Connection Manager Configuration
Guide for NCP Client.