Requirement:How does AP's respond to ICMP traffic when CPSEC is enabled?
Solution:
- Ping Request
PC(subnet B) ---ping req---> AP(subnet A) ===>Does not go through Controller
- Ping Reply
AP(subnet A) ---ping reply---> tun0(default route) ---ESP(ipsec)---> Controller ---ping reply---> PC(subnet B)
When we have CPSEC enabled, AP add a default route on themselves (tun 0). This default route points to the IP address of the controller.
Hence, the ping reply goes via the controller. Hence, we should have routing enabled between controller & wired client which is trying to ping CPSEC based AP.
Configuration:We should have routing enabled between controller & wired client which is trying to ping CPSEC based AP.
That will allow wired client present in a different subnet than the AP to receive the ICMP response.
Verification
- Case 1: Routing table for AP without CPSEC:
AP’s Default gateway : 30.1.1.2
Controller’s IP : 10.254.82.2
- Case 2: Routing table for AP with CPSEC:
Ap’s default Gateway: 172.16.0.1
Controller’s IP: 10.254.80.100
We can see an addiitonal entry for tun0 interface for CPSEC enabled AP.
The tun entry is created prior to br0. Hence, AP sends the ICMP response inside IPSEc tunnel created with the controller.