How to Enable Forced Tunnel Mode for IPsec on Mobility Controller?

Aruba Employee
Requirement:

The Mobility Controller should be minimum running AOS: 6.4.4.12 or above.



Solution:

Forced tunneling lets you redirect or "force" all Internet-bound traffic back to your on-premises location via a Site-to-Site VPN tunnel for inspection and auditing. This is a critical security requirement for most enterprise IT policies.

Starting from ArubaOS 6.4.4.12, the site-to-site IPsec SA can be switched to forced-tunnel mode, even if the protected network/mask and the peer-IP are the same.

If the Force Tunnel Mode parameter is enabled, an IPsec tunnel is established in forced-tunnel mode instead of transport mode.

Note:
1. Enable or disable the forced-tunnel mode or the transport mode on both peers, otherwise a tunnel will not be established.
2. By default, the Force Tunnel Mode parameter is disabled.



Configuration:

From WebUI:

To enable forced-tunnel mode using the WebUI:

1. Navigate to Configuration > Advanced Services > VPN Services > Site-to-Site > IPSec Maps.
2. Click Edit against one of the IPsec maps.
3. Select the Force Tunnel Mode check box.
4. Click Done.

From the CLI:

To Enable forced-tunnel mode using the CLI:

(host) #configure terminal
Enter Configuration commands, one per line. End with CNTL/Z
(host) (config) #crypto-local ipsec-map Test-Ipsec-Map 100​
(host) (config-ipsec-map) #force-tunnel mode enable
(host) (config-ipsec-map) #write memory

To Disable forced-tunnel mode using the CLI:

(host) #configure terminal
Enter Configuration commands, one per line. End with CNTL/Z
(host) (config) #crypto-local ipsec-map Test-Ipsec-Map 100
(host) (config-ipsec-map) #force-tunnel mode disable
(host) (config-ipsec-map) #write memory

 



Verification
(Aruba7024) #show running-config | begin Test-Ipsec-Map
Building Configuration...
crypto-local ipsec-map Test-Ipsec-Map 100
  set ikev1-policy 0
  peer-ip 153.2.3.1
  vlan 0
 src-net vlan 1
  dst-net 0.0.0.0 0.0.0.0
  set transform-set "default-transform"
  pre-connect disable
 factory-cert-auth disable
  trusted disable
  uplink-failover disable
  ip-compression disable
  force-natt disable
  force-tunnel-mode enable
!
(Aruba7024) #show crypto-local ipsec-map

Crypto Map Template"Test-Ipsec-Map" 100
         IKE Version: 1
         IKEv1 Policy: All
         Security association lifetime seconds : [300 -86400]
         Security association lifetime kilobytes: N/A
         PFS (Y/N): N
         Transform sets={ default-transform }
         Peer gateway: 153.2.3.1
         Interface: VLAN 0
         Source network: vlan 1
         Destination network: 0.0.0.0/0.0.0.0
         Pre-Connect (Y/N): N
         Tunnel Trusted (Y/N): N
         Forced NAT-T (Y/N): N
         Uplink Failover (Y/N): N
         Force-Tunnel-Mode (Y/N): Y
         IP Compression (Y/N): N
Version history
Revision #:
2 of 2
Last update:
‎04-02-2017 10:16 PM
Updated by:
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: