Requirement:
The Mobility Controller should be minimum running AOS: 6.4.4.12 or above.
Solution:Forced tunneling lets you redirect or "force" all Internet-bound traffic back to your on-premises location via a Site-to-Site VPN tunnel for inspection and auditing. This is a critical security requirement for most enterprise IT policies.
Starting from ArubaOS 6.4.4.12, the site-to-site IPsec SA can be switched to forced-tunnel mode, even if the protected network/mask and the peer-IP are the same.
If the Force Tunnel Mode parameter is enabled, an IPsec tunnel is established in forced-tunnel mode instead of transport mode.
Note:
1. Enable or disable the forced-tunnel mode or the transport mode on both peers, otherwise a tunnel will not be established.
2. By default, the Force Tunnel Mode parameter is disabled.
Configuration:From WebUI:
To enable forced-tunnel mode using the WebUI:
1. Navigate to Configuration > Advanced Services > VPN Services > Site-to-Site > IPSec Maps.
2. Click Edit against one of the IPsec maps.
3. Select the Force Tunnel Mode check box.
4. Click Done.
From the CLI:
To Enable forced-tunnel mode using the CLI:
(host) #configure terminal
Enter Configuration commands, one per line. End with CNTL/Z
(host) (config) #crypto-local ipsec-map Test-Ipsec-Map 100
(host) (config-ipsec-map) #force-tunnel mode enable
(host) (config-ipsec-map) #write memory
To Disable forced-tunnel mode using the CLI:
(host) #configure terminal
Enter Configuration commands, one per line. End with CNTL/Z
(host) (config) #crypto-local ipsec-map Test-Ipsec-Map 100
(host) (config-ipsec-map) #force-tunnel mode disable
(host) (config-ipsec-map) #write memory
Verification(Aruba7024) #show running-config | begin Test-Ipsec-Map
Building Configuration...
crypto-local ipsec-map Test-Ipsec-Map 100
set ikev1-policy 0
peer-ip 153.2.3.1
vlan 0
src-net vlan 1
dst-net 0.0.0.0 0.0.0.0
set transform-set "default-transform"
pre-connect disable
factory-cert-auth disable
trusted disable
uplink-failover disable
ip-compression disable
force-natt disable
force-tunnel-mode enable
!
(Aruba7024) #show crypto-local ipsec-map
Crypto Map Template"Test-Ipsec-Map" 100
IKE Version: 1
IKEv1 Policy: All
Security association lifetime seconds : [300 -86400]
Security association lifetime kilobytes: N/A
PFS (Y/N): N
Transform sets={ default-transform }
Peer gateway: 153.2.3.1
Interface: VLAN 0
Source network: vlan 1
Destination network: 0.0.0.0/0.0.0.0
Pre-Connect (Y/N): N
Tunnel Trusted (Y/N): N
Forced NAT-T (Y/N): N
Uplink Failover (Y/N): N
Force-Tunnel-Mode (Y/N): Y
IP Compression (Y/N): N