Aruba Instant & Cloud Wi-Fi

Reply
Occasional Contributor I
Posts: 8
Registered: ‎11-24-2014

Controller IAP VPN routing

Hello group,

I'm a bit lost on the moment ;-)

Trying to get a IAP105 to connect over the internet in Local-Mode to a OAW4030 controller by Aruba-IPsec VPN (split tunnelling).
I did config the IAP for VPN, wifi-network and local DHCP scope, did configure the controller for the IAP-user and whitelist-db rap.

The VPN tunnel is *Up* and I can ping from a wifi connected laptop to the internet, also I can
ping the the controller internal IP address 192.168.13.253/24 over the tunnel.
I can even SSH login to the controller internal IP address, it shows in the log that I did login from the SNAT address I did get from the controller. Also the web page from the controller is working on that IP address in the browser!

That looks very nice, but I can only reaches the controller IP address!

 

If I want to ping a other system (192.168.13.2) in the same subnet as the controller IP, the controller will not route the traffic to the subnet. I did run a tcpdump on that system but nu icmp-echo packets reach the IP.

On the "show interface vlan 13" the interface shows "Routing interface is enable, Forwarding mode is enable".

Why is the controller not routing in the 192.168.0.0/16 network?

OAW-IAP105, Version 6.4.3.1
OAW-4030, Version 6.4.3.3

 

With kind regards,

Fred Krom.

 

Occasional Contributor I
Posts: 9
Registered: ‎12-10-2014

Re: Controller IAP VPN routing

Fred,

 

Does the IAP mac address appear on the controller's cli if you issue the show iap table command?

 

Also, is the IAP managed by Airwave or Central? If not you have to issue the following commands:

 

iap trusted-branch-db allow-all

or

iap trusted-branch-db add mac-address<mac-address>

 

I have recently had a problem similar to yours that was fixed by this method.

 

Let me know if that helps!

 

Ben

Occasional Contributor I
Posts: 8
Registered: ‎11-24-2014

Re: Controller IAP VPN routing

[ Edited ]

Hi Ben,

 

Thanks for answering!

 

Yes I did play with it for some time and found the command you mention.
The output looks OK to me and I will add the output in this message.

 

The controller is a life running system with some campus AP's connected to it, the IAP is only one device and I did the config by hand (gui & cli) and did not use AirWave.

 

Because there is traffic possible from the wifi laptop to the controller IP address I expect something in the controller routing (datapath). I’m using static routing and ospf is not used.

 

I will try this evening the "iap trusted-branch-db allow-all" to see if that will be different.

 

(OAW-4030) #show iap trusted-branch-db

Trusted Branch Validation: Enabled
IAP Trusted Branch Table
------------------------
Branch MAC
----------
24:de:c6:XX:Xf:51

 

(OAW-4030) #show iap table
Trusted Branch Validation: Enabled
IAP Branch Table
----------------
Name VC MAC Address Status Inner IP Assigned Subnet Assigned Vlan
---- -------------- ------ -------- --------------- -------------
AP105 24:de:c6:XX:Xf:51 UP 192.168.224.126

 

(OAW-4030) #ping 192.168.224.126
Press 'q' to abort.
Sending 5, 92-byte ICMP Echos to 192.168.224.126, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 18.493/18.689/18.936 ms
 

Fred

 

MVP
Posts: 1,418
Registered: ‎10-25-2011

Re: Controller IAP VPN routing

do you have any routing rules created on the IAP to direct 192.168 traffic to corporate??
Pasquale Monardo | Senior Network Solutions Consultant
ACDX #420 | ACMP
[If you found my post helpful, please give kudos!]
Occasional Contributor I
Posts: 8
Registered: ‎11-24-2014

Re: Controller IAP VPN routing

[ Edited ]

Yes, created first:

 

routing-profile
  route 192.168.0.0 255.255.0.0 192.168.13.253

 

later test it with:

 

routing-profile
  route 192.168.13.0 255.255.255.0 192.168.13.253

 

Maybe also important:

 

(OAW-4030) #show ip route

Codes: C - connected, O - OSPF, R - RIP, S - static
M - mgmt, U - route usable, * - candidate default, V - RAPNG VPN/Branch

Gateway of last resort is Imported from DHCP to network 0.0.0.0 at cost 10
Gateway of last resort is Imported from CELL to network 0.0.0.0 at cost 10
Gateway of last resort is Imported from PPPOE to network 0.0.0.0 at cost 10
Gateway of last resort is 212.203.27.1 to network 0.0.0.0 at cost 20
S* 0.0.0.0/0 [20/0] via 212.203.27.1*
S 10.0.0.0/8 [10/0] via 192.168.13.254*
S 172.16.0.0/12 [10/0] via 192.168.13.254*
S 192.168.0.0/16 [10/0] via 192.168.13.254*
C 192.168.13.0/24 is directly connected, VLAN13
C 10.0.4.0/22 is directly connected, VLAN540
C 192.168.11.0/24 is directly connected, VLAN11
C 192.168.4.0/23 is directly connected, VLAN4
C 192.168.7.0/24 is directly connected, VLAN7
C 212.203.27.0/25 is directly connected, VLAN500
C 192.168.224.126/32 is an ipsec map 89.99.104.xxx-192.168.224.126

 

(OAW-4030) #show interface vlan 13

VLAN13 is up line protocol is up
Hardware is CPU Interface, Interface address is 00:0B:86:xx:x1:A7 (bia 00:0B:86:xx:x1:A7)
Description: 802.1Q VLAN
Internet address is 192.168.13.253 255.255.255.0
IPv6 Router Advertisements are disabled
Routing interface is enable, Forwarding mode is enable
Directed broadcast is disabled, BCMC Optimization disabled ProxyARP disabled Suppress ARP enable
Encapsulation 802, loopback not set
MTU 1500 bytes
Last clearing of "show interface" counters 8 day 15 hr 42 min 27 sec
link status last changed 8 day 15 hr 40 min 32 sec
Proxy Arp is disabled for the Interface

 

Fred

 

MVP
Posts: 1,418
Registered: ‎10-25-2011

Re: Controller IAP VPN routing

have you tried setting the gateway of the route to the public IP instead of the private?
Pasquale Monardo | Senior Network Solutions Consultant
ACDX #420 | ACMP
[If you found my post helpful, please give kudos!]
Occasional Contributor I
Posts: 8
Registered: ‎11-24-2014

Re: Controller IAP VPN routing

Hi Pasquale,

That is a interesting suggestion!

I will try it this evening if it works.

 

Fred

 

Occasional Contributor I
Posts: 8
Registered: ‎11-24-2014

Re: Controller IAP VPN routing

[ Edited ]

Hi Pasquale,

 

I did changed the routing-profile to:

routing-profile
  route 192.168.13.0 255.255.255.0 212.203.27.xxx
  route 10.0.0.0 255.255.252.0 212.203.27.xxx

 

The effect is the same still only 192.168.13.253 is pingable (and ssh / https).

 

The DHCP setting used is this one:

ip dhcp VLAN20
  server-type Local
  server-vlan 20
  subnet 192.168.20.0
  subnet-mask 255.255.255.0
  lease-time 2700
  dns-server 208.67.222.222,208.67.220.220

 

Fred

 

-------------------------------------------------------------------------

Did collect some commands on the VC and controller.


OAW-IAP105, Version 6.4.3.1
OAW-4030, Version 6.4.3.3

----------------------------------------------------------------------------------
-- VC:
----------------------------------------------------------------------------------

24:de:c6:xx:xf:51# show ip route
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
212.203.27.xxx 192.168.0.1 255.255.255.255 UGH 0 0 0 br0
192.168.13.253 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
192.168.100.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
192.168.20.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
192.168.0.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
0.0.0.0 192.168.0.1 0.0.0.0 UG 0 0 0 br0

 

24:de:c6:xx:xf:51# show ip interface
Interface IP Address / IP Netmask Admin Protocol
br0 192.168.0.2 / 255.255.255.0 up up

 

24:de:c6:xx:xf:51# show datapath acl-rule ict
Datapath SSID: ict ACL Entries
----------------------------------------------------------------
Flags: P - permit, L - log, E - established, M/e - MAC/etype filter
S - SNAT, D - DNAT, R - redirect, r - reverse redirect m - Mirror
I - Invert SA, i - Invert DA, H - high prio, O - set prio, C - Classify Media
A - Disable Scanning, B - black list, T - set TOS, t - time based, o - tunnel only
K - App Throttle, s - Domain SA, d - Domain DA, 4 - IPv4, 6 - IPv6
----------------------------------------------------------------
ACL Name {ict 0} Number {130}
1: any any 17 0-65535 8209-8211 P4
2: 192.168.20.0 255.255.255.0 192.168.13.0 255.255.255.0 any 192.168.224.127 PS4 hits 340
3: 192.168.20.0 255.255.255.0 10.0.0.0 255.255.252.0 any 192.168.224.127 PS4 hits 1
4: 192.168.20.0 255.255.255.0 192.168.20.0 255.255.255.0 any P4 hits 325
5: 192.168.20.0 255.255.255.0 224.0.0.0 224.0.0.0 any P4 hits 460
6: 192.168.20.0 255.255.255.0 any any masterip PS4 hits 3076
7: any any any P4 hits 67
----------------------------------------------------------------
ACL Name {ict 1} Number {131}
1: any any 17 0-65535 8209-8211 P4
2: 192.168.20.0 255.255.255.0 192.168.13.0 255.255.255.0 any 192.168.224.127 PST4
3: 192.168.20.0 255.255.255.0 10.0.0.0 255.255.252.0 any 192.168.224.127 PST4
4: 192.168.20.0 255.255.255.0 192.168.20.0 255.255.255.0 any PT4
5: 192.168.20.0 255.255.255.0 224.0.0.0 224.0.0.0 any PT4
6: 192.168.20.0 255.255.255.0 any any masterip PST4
7: any any any PT4
----------------------------------------------------------------
24:de:c6:xx:xf:51#

 

routing-profile
  route 192.168.13.0 255.255.255.0 212.203.27.xxx
  route 10.0.0.0 255.255.252.0 212.203.27.xxx

 

ip dhcp VLAN20
  server-type Local
  server-vlan 20
  subnet 192.168.20.0
  subnet-mask 255.255.255.0
  lease-time 2700
  dns-server 208.67.222.222,208.67.220.220


----------------------------------------------------------------------------------
-- Controler:
----------------------------------------------------------------------------------

(OAW-4030) #show iap trusted-branch-db

Trusted Branch Validation: Enabled
IAP Trusted Branch Table
------------------------
Branch MAC
----------
24:de:c6:xx:xf:51

 

(OAW-4030) #show whitelist-db rap


AP-entry Details
----------------
Name AP-Group AP-Name Full-Name Authen-Username Revoke-Text AP_Authenticated Description Date-Added Enabled Remote-IP
---- -------- ------- --------- --------------- ----------- ---------------- ----------- ---------- ------- ---------
24:de:c6:xx:xf:51 AP_HOME 24:de:c6:xx:xf:51 Provisioned Thu Oct 22 13:18:57 2015 Yes 0.0.0.0


(OAW-4030) #show iap table

Trusted Branch Validation: Enabled
IAP Branch Table
----------------
Name VC MAC Address Status Inner IP Assigned Subnet Assigned Vlan
---- -------------- ------ -------- --------------- -------------
AP105 24:de:c6:xx:xf:51 UP 192.168.224.127

Total No of UP Branches : 1
Total No of DOWN Branches : 0
Total No of Branches : 1

 

(OAW-4030) #ping 192.168.224.127
Press 'q' to abort.
Sending 5, 92-byte ICMP Echos to 192.168.224.127, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 21.221/34.3046/42.999 ms

 

(OAW-4030) #ping 192.168.13.2
Press 'q' to abort.
Sending 5, 92-byte ICMP Echos to 192.168.13.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 0.147/0.1772/0.276 ms

 

Occasional Contributor I
Posts: 8
Registered: ‎11-24-2014

Re: Controller IAP VPN routing

I did find the problem!

 

The internal interface 192.168.13.253 did have the "Inter-VLAN Routing" enabled, but the external interface did not. The IPsec tunnel terminate on that interface I expect, and that interface will not route the package out of the device (internal it will route).

 

Fred

 

Search Airheads
Showing results for 
Search instead for 
Did you mean: