Aruba Instant & Cloud Wi-Fi

Reply
Contributor I
Posts: 34
Registered: ‎07-06-2015

IAP VPN to Controller for Airwave

Hi,
i have a new constellation where the IAP need to connect the internal Airwave. For the setup i have a IAP in the Internet, a VPN-Controller and a Airwave Server which is reachable behind the VPN-Controller Inside Connection.

If i take a look into the IAP VPN Guides or ASE i only see a VPN for the Clients on the IAP Cloud but not only for the Airwave. Does that mean that "you" always connect Airwave to the internet and make them reachable directly ?

OR does anyone have a config example for my setup?

Thanks in advance

 

ACMP
Aruba Employee
Posts: 71
Registered: ‎09-10-2015

Re: IAP VPN to Controller for Airwave

There is a new model possible now. where the IAP first builds the tunnel with controller. and then puts a route for Airwave, so that Airwave is reachable via the tunnel.

 

I am attaching a sample lab example for your purview.

 

 

Contributor I
Posts: 34
Registered: ‎07-06-2015

Re: IAP VPN to Controller for Airwave

Hi,

thanks for the feedback! I will test this and come back here.

 

Thanks in advance

 

 

 

ACMP
Contributor I
Posts: 34
Registered: ‎07-06-2015

Re: IAP VPN to Controller for Airwave

[ Edited ]

Hi,

 

in my setup the AP gets the Airwave Server and want to connect to it:

 

ac:a3:1e:xx:xx:xx# show log provision

Mon May 9 09:54:34 2016 Airwave In progress Connecting to primary AMP server at 212.xxxxx...
Mon May 9 09:54:44 2016 Airwave Debug Received auth pending status from primary AMP server 212.xxxxx, cmd is 'state-connected'
Mon May 9 09:54:44 2016 Airwave Failed Could not establish TCP connection to AMP server at 212.xxxxx

 

But the vpn config is empty - even if i set it in the airwave prov. rule :(

 

ac:a3:1e:xx:xx:xx# show vpn config

Concentrator
------------
Type Value
---- -----
VPN Primary Server
VPN Backup Server

 

 

but ap-debug shows that it was transfered:

X-Type: provision-update^M X-Vpn-Server: 212.xx.xx.xx^M ^M ", AWC response: (null)

 

Hmm.... Using an IAP-215 in my setup with 4.1.1.4 -> Update will follow :)

 

 

Thanks for Feedback

ACMP
Aruba Employee
Posts: 71
Registered: ‎09-10-2015

Re: IAP VPN to Controller for Airwave

upgrade to latest please. 4.2.3.1

Contributor I
Posts: 34
Registered: ‎07-06-2015

Re: IAP VPN to Controller for Airwave

[ Edited ]

Done! It works!  -IAP with Activate to Internal Airwave with VPN Tunnel. Thanks!!! Nice solution!

 

What i need to find now is the role in which IAPs blong on the controller. I've created a now role with new Pool for the IAPs. Currently they get the default VPN Role and also a IP out of the "default" for the tunnel. I need to find the config for that to change the Pool. 

 

Thanks!

 

 

Edit: found: "default-iap" L3-Auth under VPN Authentication -> Setting to my new Role. Done! 

 

But my new Question: How authenticate the controller the IAP ? Using Aruba Cert and MAC ? the only security step here is the MAC of the IAP wich is not really "secure". So how can this be pushed a little bit higher ? 

ACMP
Regular Contributor I
Posts: 162
Registered: ‎04-13-2009

Re: IAP VPN to Controller for Airwave


 

But my new Question: How authenticate the controller the IAP ? Using Aruba Cert and MAC ? the only security step here is the MAC of the IAP wich is not really "secure". So how can this be pushed a little bit higher ? 


Hi Dennis,

Aruba use Certificat, each controller or acess point have a certificat with CommonName use the MAC address.

When you autorize a MAC Address, you autorize the certificat with this MAC Address 

ACMP 6.4 / ACMX #107
Contributor I
Posts: 34
Registered: ‎07-06-2015

Re: IAP VPN to Controller for Airwave

So my installation is partly working.

 

Currently i get the IAP IP form a VPN Pool of the Controller. I see that the IP from the pool is changing every some minutes to a newer IP. In the meantime the devices get unreachable in Airwave. If iam on the console and pinging Airwave the tunnel seems so stay up so i can have them in Airwave. Maybe there is a missmatch in config or Image between IAP and controller. Both are the new: ArubaOS (MODEL: 215), Version 6.4.4.4-4.2.3.1 - Controller has 6.4.4.5. 

 

Thanks for Suggestions on this

 

here are some examples in the ap-debug log:

 

May 17 12:09:13 awc[3450]: awc_init_connection: 2129: connecting to 212.x.x.x:443
May 17 12:09:23 awc[3450]: tcp_connect: 132: select return: 0
May 17 12:09:23 awc[3450May 17 12:10:24 awc[3450]: awc_connect to 212.x.x.x
May 17 12:10:34 awc[3450]: tcp_connect: 132: select return: 0
May 17 12:10:34 awc[3450]: tcp_connect: 150: failed to connect, close the fd
May 17 12:10:34 awc[3450]: awc_connect: 2633: failed to connect to 212.x.x.x Error: Operation now in progress
May 17 12:11:25 awc[3450]: awc_connect to 212.x.x.x
May 17 12:11:35 awc[3450]: tcp_connect: 132: select return: 0
May 17 12:11:35 awc[3450]: tcp_connect: 150: failed to connect, close the fd
May 17 12:11:35 awc[3450]: awc_connect: 2633: failed to connect to 212.x.x.x Error: Operation now in progress
]: tcp_connect: 150: failed to connect, close the fd

 

and here some out of the vpn log:

 

 

2016-05-17 12:14:20 cli_rap_reg_request(2921) sending reg-request to 10.x.x.x (internal IP of DMZ Controller: iap/register.....  retry-counter 1, not-trusted: amp-not-login

this happens every 3 seconds.. so i think thats why the IAP gets always new pool ip adress.

 

 

hmmmm......

 

 

 

 

 

 

ACMP
Regular Contributor I
Posts: 162
Registered: ‎04-13-2009

Re: IAP VPN to Controller for Airwave

You have create a RAP Pool on Controller ?

ACMP 6.4 / ACMX #107
MVP
Posts: 4,114
Registered: ‎07-20-2011

Re: IAP VPN to Controller for Airwave

Do you AMP IAP whitelist enabled in AirWave?

Make sure your IAP Pool is a routable network in your infrastructure

Do you have the MAC address of the IAP in the rap whitelist ?

Can you see the IAP on the controller "show IAP table"


Get Outlook for iOS
Thank you

Victor Fabian
Lead Mobility Engineer @ Integration Partners
AMFX | ACMX | ACDX | ACCX | CWAP | CWDP | CWNA
Search Airheads
Showing results for 
Search instead for 
Did you mean: