FQDN based site to site IPSEC tunnels

Aruba Employee
Requirement:

 

  • Prior to 6.4.4.0 code the implementation only support configuration of ip address as remote end point
  • And the implementation mandates use of ip address as src-net.

 

 

 



Solution:

For a scalable solution to deploy Site-to-Site tunnels using branch office following enhancements done moving from 6.4.4.0 versions

  • Flexibility of configuring FQDN as peer-ip
  • Configuring src-net within crypto map as vlan.
  • Support for factory certs for Site-to-Site will allows customer to use TPM certs and reduce complication of certificate configuration process.

 

Note: The same enhancements are available for Site-to-Site configuration on controller and not just limited only to BOC solution.



Configuration:

CLI configurations:

 

(config) #ip domain-name france.inditex.com

Operation may not take effect until a reboot

 

(config) #ip name-server 10.15.92.51

Operation may not take effect until a reboot

 

Note: Reboot the controller in order for the configuration to take effect

 

(config) #crypto-local ipsec-map toc3 100

(config-ipsec-map)#  version v2

(config-ipsec-map)#  set ikev2-policy 10006

(config-ipsec-map)#  peer-ip payment

(config-ipsec-map)#  vlan 1

(config-ipsec-map)#  src-net vlan 100

(config-ipsec-map)#  dst-net 130.0.0.0 255.255.255.0

(config-ipsec-map)#  set transform-set defaul-transform

(config-ipsec-map)#  pre-connect enable

(config-ipsec-map)#  factory-cert-auth

(config-ipsec-map)#  factory-cert-auth enable

(config-ipsec-map)#  trusted enable

(config-ipsec-map)#  uplink-failover disable

(config-ipsec-map)#  ip-compression disable

(config-ipsec-map)#  force-natt disable

 

UI Configuration:

 

 

 

 



Verification

#show crypto isakmp sa

 

ISAKMP SA Active Session Information

------------------------------------

Initiator IP     Responder IP   Flags       Start Time      Private IP

------------     ------------   -----     ---------------   ----------

10.15.33.1       10.15.33.3     i-v2-c    Jul 16 14:30:25     -

 

Flags: i = Initiator; r = Responder

       m = Main Mode; a = Aggressive Mode; v2 = IKEv2

       p = Pre-shared key; c = Certificate/RSA Signature; e =  ECDSA Signature

       x = XAuth Enabled; y = Mode-Config Enabled; E = EAP Enabled

       3 = 3rd party AP; C = Campus AP; R = RAP;  Ru = Custom Certificate RAP; I = IAP

       V = VIA; S = VIA over TCP

Total ISAKMP SAs: 1

 

#show crypto ipsec sa

 

IPSEC SA (V2) Active Session Information

-----------------------------------

Initiator IP     Responder IP     SPI(IN/OUT)        Flags Start Time        Inner IP

------------     ------------     ----------------   ----- ---------------   --------

10.15.33.1       10.15.33.3       4b279b00/745c4100  T2    Jul 16 14:26:22     -

Flags: T = Tunnel Mode; E = Transport Mode; U = UDP Encap

       L = L2TP Tunnel; N = Nortel Client; C = Client; 2 = IKEv2

 

Total IPSEC SAs: 1

 

 

#show crypto-local ipsec-map | begin toc3

Crypto Map Template"toc3" 100

         IKE Version: 2

         IKEv2 Policy: DEFAULT

         Security association lifetime seconds : [300 -86400]

         Security association lifetime kilobytes: N/A

         PFS (Y/N): N

         Transform sets={ default-transform }

         Peer gateway: payment

         Interface: VLAN 1

         Source network: vlan 100

         Destination network: 130.0.0.0/255.255.255.0

         Pre-Connect (Y/N): Y

         Tunnel Trusted (Y/N): Y

         Forced NAT-T (Y/N): N

         Uplink Failover (Y/N): N

         IP Compression (Y/N): N

         Factory Certificate

 

Version history
Revision #:
2 of 2
Last update:
‎05-30-2016 02:42 PM
Updated by:
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.