ExtremeCloud SD-WAN Configuring the Network Policy 19
•DH Group (PFS only): drop-down list to choose the Diffie-Hellman group: 1 (768-bit), 2
(1024-bit) or 5 (1536-bit), 14, 19, 20, 21, 24 and PFS disabled (PFS ensures that the same key
will not be generated again, so forces a new Diffie-Hellman key exchange. Both sides of
VPN should support PFS in order for PFS to work. Therefore using PFS provides a more
secure VPN connection),
•SA lifetime (seconds) Security Association lifetime (86,400 s that is: 24 hours by default;
mandatory). The authorized range of values is [120 -172800],
•Lifebytes (kbytes) - optional: number of kilobytes sent through the tunnel before it is
renewed; the tunnel is renewed after the SA lifetime period of after the Lifebytes period,
whichever expires first. Valid values are in the range [5120 - 2147483648 kbytes],
•MTU (bytes): maximum number of bytes loaded in the Payload. The default value is 1400.
This value applies to all IPsec tunnels.
4Click Save.
Your new overlay is displayed in the Overlays section of the Policy Configuration
window. Click any overlay to edit its parameters. Use View All if you want to delete
any overlay(s).
Apply the Hub & Spoke Overlay to the Appliances
1From the main menu, select Appliances.
2Select the Spoke appliance and the WAN tab.
3Select the appropriate WAN interface in Router mode and from the Overlay list, select the
Hub & Spoke overlay that will establish the VPN tunnel. Click Done.
4Select the Hub appliance and the WAN tab.
5Select the appropriate WAN interface in Router mode and apply the same Hub & Spoke
overlay as for the Spoke appliance.
6Click Done. The tunnel is created.
Create an External VPN Gateway Overlay
This section describes how to configure an external gateway from a site appliance over
the Internet. The basic procedure for defining an external gateway consists of the
following steps:
•Identifying the external gateway
•Defining the Public IP addresses of both the VPN Gateway and the Branch Office
appliance it is connected to. The IP addresses of the tunnel termination interfaces are
also required.
•Defining how the traffic is routed through the tunnel by using subnet information (static
configuration) or BGP (dynamic configuration).
•Defining the IPSec tunnel parameters.
User Guide 3 Onboarding