ArubaOS and Controllers

Reply
obi
Contributor II
Posts: 45
Registered: ‎08-28-2008

Creating site-to-site IPSec tunnel from OS5 controller to another vendor firewall?

Hi

Is it possible to configure site-to-site, VPN tunnel from Aruba controller to another vendor firewall? So that Aruba would route "intresting" traffic from certain subnet to another subnet trough tunnel.What I've been trying to do is make VPN tunnel from 3200 Controller with 5.0.10 firmware to Watchguard x750e. I get phase 1 trough but phase 2 fails with following error from firewall:

2010-06-24 13:14:40 iked Peer x.x.x.x phase 2 negotiation failed because there is no matching IPSec proposal

Arubas user interface isn't so clear about VPN configuration, where do I do phase 2 configuration in Aruba UI?
Guru Elite
Posts: 20,573
Registered: ‎03-29-2007

Phase 2

Phase 2 of the conversation is Encryption Algorithm (DES or 3DES) and the Hash algorithm (SHA or MD5). In the Aruba Site to Site VPN configuration, there is an option for a "Transform Set", which is the Encryption/Hash combination you want to use. If you pick the "Default Transform" set, the Encryption is set to 3DES and SHA. I don't know how you set this up on the Watchguard Side, but make sure those two parameters appear in the site to site VPN configuration on your Watchguard box, as well. In the site to site VPN configuration on Aruba, there is also a peer IP address, and that should be the external IP address of the Watchguard device.

Matching all those parameters should get you past Phase 2 of the conversation.

Any type of VPN is not simple and site to site VPNs between different manufacturers is even more complicated. Vendors routinely call the same things by different names, but the key is to have your parameters matched on both sides. Due to this complexity, you may want to contact Watchguard to ensure that side of the site to site VPN agrees with the Aruba side.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

obi
Contributor II
Posts: 45
Registered: ‎08-28-2008

Re: Creating site-to-site IPSec tunnel from OS5 controller to another vendor firewall?

double
obi
Contributor II
Posts: 45
Registered: ‎08-28-2008

Re: Creating site-to-site IPSec tunnel from OS5 controller to another vendor firewall?

Ah I got different encryption settings. Aruba got AES-128 and WG AES-256. Now the tunnel is up and running and I get traffic go trough.

In my experience standard IPSec is pretty easy even between different wendors as long as you run decent harware. Most of the problems I've got are because crappy hardware what does something else that it should be.

And Thanks for the help, being able to connect VPN to firewalls gives me interesting options to use Aruba in different installations.
Search Airheads
Showing results for 
Search instead for 
Did you mean: