ArubaOS and Controllers

Reply
Occasional Contributor II
Posts: 60
Registered: ‎01-19-2011

master local ipsec tunnel

Hi Airheads,

I'm trying to simulate an active-active type of redundancy in my lab. I am having problems configuring the ipsec tunnel for the two controllers. Is there any steps documented in configuring the ipsec tunnel in a master-local relationship? i think i'm doing it wrong.

I have configured the L2TP/IPSec in my Master which i followed the arubaos guide, which involves defining address pools, creating IKE shared secrets and IKE Policies.

Then in my other controller I changed the role to Local, entered the master IP and the IKE shared secret that I've configured in master, and then reboot.

I viewed the logs in my master and this is what I got:

May 12 19:10:03 isakmpd: <103063> |ike| exchange_setup_p1: ID is IPv4
May 12 19:10:03 isakmpd: <103063> |ike| exchange_setup_p1: expected exchange type ID_PROT got AGGRESSIVE
May 12 19:10:03 isakmpd: <103063> |ike| exchange_setup_p1: USING exchange type AGGRESSIVE
May 12 19:10:03 isakmpd: <103060> |ike| ike_phase_1.c:ike_phase_1_responder_recv_SA:897 Recvd VPN IKE Phase 1 SA transform negotiation (1st packet) from IP 172.16.0.254.
May 12 19:10:03 isakmpd: <103060> |ike| ike_phase_1.c:ike_phase_1_responder_recv_SA:1041 Ike Phase 1 received SA
May 12 19:10:03 isakmpd: <103060> |ike| ike_phase_1.c:ike_phase_1_recv_ID:2218 received IKE ID Type 11 exchange:172.16.0.254
May 12 19:10:03 isakmpd: <103060> |ike| ike_phase_1.c:ike_phase_1_recv_ID:2233 got IKE KEY-ID, got remote-switch-ip:172.16.0.254-mask:255.255.255.255
May 12 19:10:03 isakmpd: <103060> |ike| ike_phase_1.c:ike_phase_1_recv_ID:2282 Master-Local
May 12 19:10:03 isakmpd: <103017> |ike| Could not validate IKE Phase 1 ID of peer for Master-Local VPN
May 12 19:10:03 isakmpd: <103063> |ike| exchange_run: step 0 done:0 handler failed



I need help from anyone who knows how to configure this. I know I'm doing it wrong but I don't know where to start.

Thank you in advance.


-richard
Guru Elite
Posts: 21,274
Registered: ‎03-29-2007

Re: master local ipsec tunnel

You don't configure a site to site VPN tunnel in a master/local relationship:

On the master side you just configure an entry for the local controller in Configuration> Network> Local Controller ipsec keys. On the local controller you configure it to point to the master in Configuration> Network> Controller> System Settings. Change the controller role to a local and put in the master's ip address, along with the ipsec key (do not put in FQDN). Reboot the local and you should be done. No pools required.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 60
Registered: ‎01-19-2011

it worked!

wow it's that simple? now it's working. the config in the master have sync'd in the local which is what i'm expecting. now need to test active-active redundancy. thank you so much bro.
Guru Elite
Posts: 21,274
Registered: ‎03-29-2007

Re: master local ipsec tunnel

Please take a look at the our Validated Reference Design page here: http://www.arubanetworks.com/technology/reference-design-guides/

There is one particular document that will tell you the most about redundancy: Campus Wireless Networks Validated Reference Design.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 60
Registered: ‎01-19-2011

Re: master local ipsec tunnel

Hi Colin,

Yup I looked into it and the only way that I can do redundancy according to customer requirement is through active-active. does the two controller have to have the exact same software version? my master (aruba 651) is running in 5.0.3.0 and my local (aruba 3600) is 5.0.2.0. I am trying to simulate a failure in one controller but the AP doesn't seem to failover to the local.

All license in both controller are the same already PEFNG and AP license, and there is no layer 3 issue. Because when the AP can ping the local's IP when go to the AP boot mode.

I don't know what i'm missing here. Please help me.
Guru Elite
Posts: 21,274
Registered: ‎03-29-2007

Re: master local ipsec tunnel

You MUST have both controllers at the same version of code, because access points must either upgrade or downgrade their code to the level of the controller before it can communicate with that controller. You could introduce an upgrade/downgrade loop if they do not match.

If you want to have one controller back up the other, you should create a VRRP between both controllers and have the LMS-IP in the AP system profile of the ap-group point to the VRRP ip address...


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor II
Posts: 60
Registered: ‎01-19-2011

Re: master local ipsec tunnel

I'll go with introducing upgrade/downgrade first since this is just a test. But how do I do it?

For the VRRP thing, I think I can't do it because the controllers are separated via Layer 3, and as much as I want them to reside in one place, I can't because my customer want one controller to reside in a branch office.
Occasional Contributor II
Posts: 60
Registered: ‎01-19-2011

Re: master local ipsec tunnel

Hi Colin,

I managed to make the two controller image code match, also the ap have failed over to the local. but it seems that it can only broadcast on one radio and in the "AP system Profile" I can only choose "a" or "g". Is there any workaround for this?

Thank you.
Occasional Contributor II
Posts: 60
Registered: ‎01-19-2011

Re: master local ipsec tunnel

I mean workaround where it will still be broadcasting 80211a and 80211g?
Guru Elite
Posts: 21,274
Registered: ‎03-29-2007

Re: master local ipsec tunnel

What kind of access point is it? If it is an AP93, AP61, it can only broadcast on a single band at a time.....


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: