Contents

Manage Network Interface Profiles

A network interface profile represents the tunnel through which network traffic from the configured SSIDs can be routed to a remote endpoint. The remote endpoint then reroutes this traffic to its respective path or destination. A network interface profile is used to configure Ethernet over GRE (EoGRE) and EoGRE over IPSec settings.

EoGRE

Generic Routing Encapsulation (GRE) is a tunneling protocol that can encapsulate a variety of network layer protocols inside virtual point-to-point links over an IP network. EoGRE provides the ability to set up one or more tunnels from the AP to an aggregating device. Traffic from one or multiple SSIDs can be channeled through these tunnels.

Daigram of an EoGRE tunnel

For detailed information on how to set up a GRE tunnel in Wi-Fi Cloud, see Configure an EoGRE tunnel from a WatchGuard Wi-Fi Cloud AP to a GRE endpoint.

EoGRE over IPSec

You can also use IPSec with EoGRE to add encryption for encapsulated data to provide a secure and flexible VPN solution. Using IPsec, an extra layer of security is added to the GRE packets to protect a client’s sensitive information against eavesdropping or any modification. EoGRE over IPSec is supported in either Tunnel or Transport mode. Security of GRE packets is measured by these phases:

  • Phase I: This phase describes different security mechanisms used to authenticate and validate the keys shared between the endpoints.
  • Phase II: This phase describes different methods to encrypt the payload of the packet, to provide a high level of privacy, confidentiality and security from spoofing or any possible threat of tampering.

For detailed information on how to set up EoGRe over IPSec, see Configure EoGRE over IPSec in Wi-Fi Cloud.

When you configure network interface profiles, you can specify a primary endpoint and a secondary endpoint. The wireless traffic is bridged to the secondary endpoint if the primary endpoint fails. The secondary endpoint is optional and is functional only if you enable a secondary endpoint and configure the host name and local endpoint VLAN for the secondary endpoint.

The secondary endpoint checks for the availability of the primary endpoint and transfers control to the primary endpoint when it is up and running.

A network interface profile must be attached to an SSID profile when you enable remote bridging on the SSID profile.

Add Network Interface Profile

To add a network interface profile:

  1. Select Configuration > Device Configuration > Network Interfaces.
  2. Click Add Network Interface Profile.
  3. Define the values for the network interface profile fields.

Field

Description

Profile Name

Name of the network interface profile. The maximum length is 260 bytes.

Tunnel Type

Select Tunnel Type as Ethernet over GRE or EoGRE over IPSec.

Primary Endpoint Parameters

Remote Endpoint (IP Address /Hostname)

The IP address  of the primary remote server or endpoint.Keep this text box clearif you want to use the NTP server IP address (from DHCP option 42) as the remote endpoint.

Local Endpoint VLAN

The VLAN ID  through which the AP will form a tunnel to the remote endpoint. The value must be between 0 and 4094. The Remote Endpoint must be reachable through this VLAN.

Secondary Endpoint Related Parameters

Enable Secondary Endpoint

The secondary endpoint is the remote endpoint to which wireless traffic is diverted if the primary endpoint goes down. Select this check box if you want to enable a secondary endpoint.

Remote Endpoint (IP Address)

The IP address  of the secondary remote server or endpoint. Keep this text box clear if you want to use the NTP server IP address (from DHCP option 42) as the remote endpoint.

Local Endpoint VLAN

The secondary VLAN ID  through which the wireless network traffic is to be routed. The value must be between 0 and 4094. The Remote Endpoint must be reachable through this VLAN.

Network Probe Interval

The interval, in seconds, after which the AP checks connectivity with the remote endpoint by sending a ping request packet. The value must be between 10 and 3600. The interval must be a multiple of 10.

Network Ping Retry Count

Count of ping request packets that the AP sends to the remote endpoint. The default value is 3.

Network Ping Timeout

Time, in seconds, that the AP waits for a ping reply. The default value is 60 seconds.

Prefer Primary Tunnel over Secondary Tunnel

Select the check box if you want the AP to check for the availability of the primary tunnel. If the check box is not selected and the primary tunnel is down, the AP continues to operate on the secondary tunnel.

EoGRE settings

GRE Primary Key

Key in the primary endpoint GRE header. If configured, the key should be same at both ends of the tunnel. It is not mandatory for the key to be configured in the GRE tunnel

GRE Secondary Key

Key in the secondary endpoint GRE header. If configured, the key should be same at both ends of the tunnel. It is not mandatory for the key to be configured in the GRE tunnel

EoGRE over IPSec settings
Remote Endpoint (IP Address) Type the IP address of the remote endpoint.
Mode

The available modes are:

  • Tunnel Mode: Encrypt the entire IP header of the original packet. IPSec wraps the EoGRE packet, encrypts it, adds a new set of IP headers (ESP header) and sends it across the VPN tunnel.
  • Transport Mode (default): In Transport mode, only the payload and Encapsulating Security Payload (ESP) trailer is encrypted. The IP header of the original packet is not encrypted.
Enable virtual IP address support If enabled in Tunnel Mode, the system assigns a virtual IP address to the AP to create a tunnel.

Phase 1 parameter

IKE Settings
  • Lifetime/IKE keep alive: Internet Key Exchange (IKE) keep alive is the time (in hours) when generated keys are active. After the specified time, new keys are generated and shared between the endpoints.
  • Aggressive Negotiation Mode: Enables a quick negotiation of IKE keys between the endpoints. If enabled, only three packets are exchanged to set up a security association. If disabled (normal mode), six packets are exchanged before a tunnel is created. This mode is available only if IKE version 1 is selected.
IKE Versions

IKE (Internet Key exchange) version 1 or version 2 (default).

AP Authentication Method

A list of methods used to authenticate an AP. The available options are:

  • PSK: Personal shared key (PSK) is used to share a single personal key among the endpoints.
  • XAUTH: Extended Authentication (XAUTH) validates endpoints using user credentials (username and password).
  • EAP: Extensible Authentication Protocol is a protocol where an authentication server (RADIUS) is used to verify the identity of the APs.

 

Identifier Type a unique name to identify an AP endpoint. If blank, the local VLAN endpoint IP address is used as the identifier.
PSK key input Type a pre-shared key. Available only if PSK is selected.
Username

Name of the user. This option is not available if PSK is selected.

Password

Type a password. This option is not available if PSK is selected.

EAP method

Methods used to authenticate an AP. The available options are:

  • MD5 (eap-md5)
  • PEAP (eap-peap)
  • MSCHAPv2

This option is available only if EAP is selected.

AAA Identity AAA (authentication, authorization and accounting) controls access to APs, enforces policies, and device usage for effective network security. Type the identity of the RADIUS server. This option is available only if EAP is selected.
Remote Authentication Method

A list of methods used to authenticate an endpoint. The available options are:

  • PSK
  • Public Key Authentication
Identifier Type a unique name to identify a remote endpoint.
PSK key input

Type a pre-shared key. This option is not available if IKE Version 1 is selected with PSK as the AP Authentication Method.

Public Key Authentication

Select this option to exchange a public key between endpoints to authenticate each endpoint's identity. The public keys are exchanged in messages that contain a digital certificate. Click Set certificate to apply a digital signature on the generated keys.
Phase 1 Combination of Cipher
Cipher Algorithm

Specify the algorithm to use to encrypt the data packets traversing through the VPN tunnel. These algorithms are supported:

  • aes
  • aes (gcm128) (Valid for IKE version 2 only)

Cipher Length

Type the length of key in bits. Longer keys provide greater security.

Hash Algorithm

Specify the algorithm to use to authenticate the message sent through the VPN tunnel. These algorithms are supported:

  • sha 1
  • sha2_256
  • sha2_384
  • sha2_512
  • aesxcbc (IKEv2 only)

DH Group

Select the Diffie-Hellman group algorithm from the available options.

Phase II parameter Payload Encryption
Life time/Phase two keep alive IKE keep alive is the time (in hours) for which the generated keys are active. After this specified time period, new keys are generated and shared between the endpoints.
Phase 1 Combination of Cipher
ESP

ESP (Encapsulating Security Payload) encrypts the entire packet and provides the ability to authenticate senders and keep data private.

AH AH (Authentication Header) only provides message authentication. AH only lets the receiver verify that the message is intact and unaltered, but it does not encrypt the message on its own. Packets are authenticated using a checksum created by using a hash-based message authentication code (HMAC) in connection with a key.
Cipher Algorithm

Specify the algorithm used to encrypt the data packets traversing through the VPN tunnel. These algorithms are supported:

  • aes
  • aes(gcm128) (Valid for IKE version 2 only)
Cipher Length Type the length of key in bits. Longer keys provide greater security.

Hash Algorithm

Specify the algorithm to use to authenticate the message sent through the VPN tunnel. These algorithms are supported:

  • sha 1
  • sha2_256
  • sha2_384
  • sha2_512
  • aesxcbc (IKEv2 only)

DH Group

Select the Diffie-Hellman group algorithm from the available options.

  1. Click Save.

Change Location for Network Interface Profile

To move the network interface profile to another location:

  1. Select Configuration > Device Configuration > Network Interfaces.
  2. Select the location where the network interface profile has been defined.
  3. Select the check box for the network interface that you want to move to another location.
  4. Click the Change location icon icon.
  5. Select the new location and click OK.

Print Network Interface Profile

To print the network interface profile list for a location:

  1. Select Configuration > Device Configuration > Network Interfaces.
  2. Select the location for which you want to print the network interface profiles list.
  3. Select the columns that you want in the printed list.
  4. Click the Print icon icon.
    The print preview of the network interface profiles list appears.
  5. Click Print.

Search Network Interface Profiles

You can filter the network interface profiles list based on the profile name or tunnel type.

To filter a network interfaces profiles list:

  1. Select Configuration > Device Configuration > Network Interfaces.
  2. Type the search filter in the Quick Search box.
    You may enter the profile name or the tunnel type to filter the network interface profile data.
  3. Press the Enter key.
    The network interface profiles matching the search filter criteria are displayed in the list.

To select the columns to be made visible on the Network Interfaces page:

  1. Select Configuration > Device Configuration > Network Interfaces.
  2. Click a column heading.
  3. Click the down arrow.
  4. Select the Columns option from the menu that appears.
  5. Select the check boxes for the individual columns that are to be made visible on the Network Interfaces page.

Delete Network Interface Profile

To delete a network interface profile:

  1. Select Configuration > Device Configuration > Network Interfaces.
  2. Select the location where you want to delete the network interface profile.
  3. Select  one or more network interface profiles to delete and click the Delete icon icon in the toolbar.
  4. Click Yes.

Give Us Feedback  ●   Get Support  ●   All Product Documentation  ●   Technical Search