Controller Based WLANs

FQDN based site to site IPSEC tunnels
Requirement:

Customer needs a scalable solution to deploy Site-to-Site tunnels using branch office controller solution, the prior code implementation only support configuration of ip address as remote end point and mandates use of ip address as src-net.

 

 

 

 

 



Solution:

Starting from 6.4.4.0 we have the flexibility of configuring FQDN as peer-ip. This provides the with the ease of configuring same FQDN across different branches which might resolve to different IP addresses locally based on local DNS setting

Configuring src-net within crypto map as vlan.  In BOC solution, ip addresses are carved out when branch talks to the master. As a result, ip addresses are not known beforehand.

This feature allows them to configure vlan as source network. When the configuration is pushed to the branch, the ip address range carved out for that vlan in that branch will be used during IKE negotiation. This provides them the flexibility of pushing the same configuration of source network across all branches which would negotiate different source networks based on ip pools carved out for that vlan in that branch.

Support for factory certs for Site-to-Site will allows customer to use TPM certs and reduce complication of certificate configuration process.
 



Configuration:

Config CLI:

ip domain-name france.inditex.com
ip name-server 10.15.92.51
crypto-local ipsec-map toc3 100
  version v2
  set ikev2-policy 10006
  peer-ip payment
  vlan 1
 src-net vlan 100
  dst-net 130.0.0.0 255.255.255.0
  set transform-set "default-transform"
  pre-connect enable
 factory-cert-auth enable
  trusted enable
  uplink-failover disable
  ip-compression disable
  force-natt disable
!

UI:

 

 

 

 

 



Verification

(C1) #show crypto isakmp sa

 

ISAKMP SA Active Session Information

------------------------------------

Initiator IP     Responder IP   Flags       Start Time      Private IP

------------     ------------   -----     ---------------   ----------

10.15.33.1       10.15.33.3     i-v2-c    Jul 16 14:30:25     -

 

Flags: i = Initiator; r = Responder

       m = Main Mode; a = Agressive Mode; v2 = IKEv2

       p = Pre-shared key; c = Certificate/RSA Signature; e =  ECDSA Signature

       x = XAuth Enabled; y = Mode-Config Enabled; E = EAP Enabled

       3 = 3rd party AP; C = Campus AP; R = RAP;  Ru = Custom Certificate RAP; I = IAP

       V = VIA; S = VIA over TCP

 

Total ISAKMP SAs: 1

 

(C1) #show crypto ipsec sa

 

IPSEC SA (V2) Active Session Information

-----------------------------------

Initiator IP     Responder IP     SPI(IN/OUT)        Flags Start Time        Inner IP

------------     ------------     ----------------   ----- ---------------   --------

10.15.33.1       10.15.33.3       4b279b00/745c4100  T2    Jul 16 14:26:22     -

 

Flags: T = Tunnel Mode; E = Transport Mode; U = UDP Encap

       L = L2TP Tunnel; N = Nortel Client; C = Client; 2 = IKEv2

 

Total IPSEC SAs: 1

 

(C1) #show crypto-local ipsec-map | begin toc3

Crypto Map Template"toc3" 100

         IKE Version: 2

         IKEv2 Policy: DEFAULT

         Security association lifetime seconds : [300 -86400]

         Security association lifetime kilobytes: N/A

         PFS (Y/N): N

         Transform sets={ default-transform }

         Peer gateway: payment

         Interface: VLAN 1

         Source network: vlan 100

         Destination network: 130.0.0.0/255.255.255.0

         Pre-Connect (Y/N): Y

         Tunnel Trusted (Y/N): Y

         Forced NAT-T (Y/N): N

         Uplink Failover (Y/N): N

         IP Compression (Y/N): N

         Factory Certificate

 

 

 

 

Version History
Revision #:
2 of 2
Last update:
‎03-07-2016 02:33 PM
Updated by:
 
Labels (1)
Contributors
Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.