Controller Based WLANs

How to configure IPSec connection (Tunnel Mode) by using Preshared Key Authentication between Aruba

Aruba Employee
Requirement:

In this example the radius server uses only one NIC and is directly connected to Aruba controller. In real life there can be routed networks between them. All radius traffic between the Aruba controller and radius server will be encrypted using tunnel mode.

  • Tunnel mode requires external IP addresses which are tunnel endpoints and internal IP addresses that are protected by the tunnel. In this example both IP addresses are bound to single interface
  • Radius server is listening on IP address 1.1.1.1. Aruba controller uses internal IP 2.2.2.1 to source all radius traffic.

 

[Radius Server] ============Tunnel============ [Aruba]

ExtIP = 10.4.61.3                                                               ExtIP = 10.4.61.191                              

IntIP = 1.1.1.1   (RadIP)                                                     IntIP = 2.2.2.1   (RadSrcIntIP)



Solution:

In this method, we see that IPSec connection is done by using pre-shared key, which is configured between Aruba and Radius server.

 



Configuration:

 

Configuring IPSec tunnel Microsoft Windows 2003 (IAS Server)

It is assumed that IAS is already installed and configured to use with user authentication to be used. This document focuses on the IPSec configuration.

Configure IP addresses in the mentioned sequence. First enter internal IP address and then external IP address.

 

Open windows command prompt and add route to direct all radius traffic destined to 2.2.2.1 through the tunnel using command “ route add 2.2.2.1 mask 255.255.255.255 1.1.1.1”

Create IPSec Policy
Typically, a Windows Server 2003 gateway is not a member of a domain, so a local IPSec policy is created. If the Windows Server 2003 gateway is a member of a domain that has IPSec policy applied to all members of the domain by default, this prevents the Windows Server 2003 gateway from having a local IPSec policy. In this case, you can create an organizational unit in Active Directory, make the Windows Server 2003 gateway a member of this organizational unit, and assign the IPSec policy to the Group Policy object (GPO) of the organizational unit.  

1.    Click Start, click Run, and then type secpol.msc to start the IP Security Policy Management snap-in.
2.    Right-click IP Security Policies on Local Computer, and then click Create IP Security Policy.
3.    Click Next, and then type a name for your policy (for example, IPSec Tunnel with Aruba Gateway). Click Next.

Note You can also type information in the Description box.
4.    Click to clear the Activate the default response rule check box, and then click Next.
5.    Click Finish (leave the Edit check box selected).
Note The IPSec policy is created with default settings for the IKE main mode. The IPSec tunnel is made up of two rules. Each rule specifies a tunnel endpoint. Because there are two tunnel endpoints, there are two rules. The filters in each rule must represent the source and destination IP addresses in IP packets that are sent to that rule's tunnel endpoint.


Build a Filter List from RadIP to RadSrcIntIP
1.    In the new policy properties, click to clear the Use Add Wizard check box, and then click Add to create a new rule.
2.    Click the IP Filter List tab, and then click Add.
3.    Type an appropriate name for the filter list, click to clear the Use Add Wizard check box, and then click Add.
4.    In the Source address box, click, and then type the IP Address and Subnet mask for RadIP. (1.1.1.1 , 255.255.255.255)
5.    In the Destination address box, click A specific IP Address, and then type the IP Address and Subnet mask for RadSrcIntIP. (2.2.2.1, 255.255.255.0)
6.    Click to clear the Mirrored check box.
7.    Click the Protocol tab. Make sure that the protocol type is set to Any, because IPSec tunnels do not support protocol-specific or port-specific filters.
8.    If you want to type a description for your filter, click the Description tab. It is generally a good idea to give the filter the same name that you used for the filter list. The filter name appears in the IPSec monitor when the tunnel is active.
9.    Click OK.

 

Build a Filter List from RadSrcIntIP to RadIP
1.    Click the IP Filter List tab, and then click Add.
2.    Type an appropriate name for the filter list, click to clear the Use Add Wizard check box, and then click Add.
3.    In the Source address box, click A specific IP Address, and then type the IP Address and Subnet mask for RadSrcIntIP.
4.    In the Destination address box, click A specific IP Address, and then type the IP Address and Subnet mask for RadIP.
5.    Click to clear the Mirrored check box.
6.    If you want to type a description for your filter, click the Description tab.
7.    Click OK.
 

 

Configure a Rule for a RadIP-to-RadSrcIntIP Tunnel
1.    Click the IP Filter List tab, and then click to select the filter list that you created.
2.    Click the Tunnel Setting tab, click The tunnel endpoint is specified by this IP Address box, and then type Aruba(where Aruba is the IP address that is assigned to the external port
3.    Click the Connection Type tab, click All network connections (or click Local area network (LAN) 
4.    Click the Filter Action tab, click to clear the Use Add Wizard check box, and then click Add to create a new filter action because the default actions allow incoming traffic in clear text.
5.    Keep the Negotiate security option enabled, and then click to clear the Accept unsecured communication, but always respond using IPSec check box. You must do this for secure operation.
We did not use PFS in this example.
6.    Click Add, and keep the Integrity and encryption option selected (or you can select the Custom (for expert users) option if you want to define specific algorithms and session key lifetimes). Encapsulating Security Payload (ESP) is one of the two IPSec protocols.
7.    Click OK. Click the General tab, type a name for the new filter action (for example, IPSec tunnel: ESP 3DES/SHA), and then click OK.
8.    Click to select the filter action that you just created. 
9.    Click the Authentication Methods tab, configure the authentication method that you want (use preshared key “itsabug”.
10.    Click Close.


Configure a Rule for a RadSrcIntIP-to-RadIP Tunnel
1.    In IPSec policy properties, click Add to create a new rule.
2.    Click the IP Filter List tab, click to select the filter list that you created (from RadSrcIntIP to RadIP).
3.    Click the Tunnel Setting tab, click The tunnel endpoint is specified by this IP Address box, and then type Windows203extIP (where WIN2003extIP is the IP address that is assigned to the Windows Server 2003 gateway external network adapter).
4.    Click the Connection Type tab, click All network connections (or click Local area network (LAN) 
5.    Click the Filter Action tab, and then click to select the filter action that you created.
6.    Click the Authentication Methods tab, and then configure the same method that you used in the first rule (the same method must be used in both rules). Use preshare key “itsabug”
7.    Click OK, make sure both rules that you created are enabled in your policy, and then click OK again.



 

 

PFS is disabled in this example.

 

 

Create a filter Action “aruba”. Both filter rules uses this filter action

 

Configuring IPSec  tunnel on Aruba Contoller

 

For configuring Aruba Switch, please enter the commands mentioned in this configuration section. The first part mentions radius related commands and second part mentions IPSec related commands

 

ip radius source-interface vlan 3

ip radius nas-ip 10.4.61.191

aaa radius-server iasrad host 1.1.1.1 key 692bf7e0f1f1292bd3287d547a6e63a6

 

 

crypto-local isakmp key "2670230bddf2674503719ec233eae878" address 10.4.61.3 netmask 255.255.255.255

 

crypto-local ipsec-map fips 100

  peer-ip 10.4.61.3

  vlan 1

  src-net 2.2.2.1 255.255.255.255

  dst-net 1.1.1.1 255.255.255.255

  set transform-set default-transform

  set security-association lifetime seconds 0

  pre-connect enable

  trusted enable

!

 

Testing tunnel between Aruba and Radius Server

 

Go to Aruba console or ssh shell

ping 1.1.1.1 or use command “aaa test-server iasrad user1 pass1”.

This will initiate a tunnel

Use command “show crypto-local ipsec-map

 

(Aruba) #show crypto-local ipsec-map

 

Crypto Map Template"fips" 100

         lifetime: [300 - 86400] seconds, no volume limit

         PFS (Y/N): N

         Transform sets={ default-transform }

         Peer gateway: 10.4.61.3

         Interface: VLAN 1

         Source network: 2.2.2.1/255.255.255.255

         Destination network: 1.1.1.1/255.255.255.255

         Pre-Connect (Y/N): Y

         Tunnel Trusted (Y/N): Y

 

 



Verification

 

Here are the commands to verify on the controller.

show datapath session table

show crypto ipsec sa

show crypto isakmp sa

show ip route

show datapath tunnel table

 

Version history
Revision #:
2 of 2
Last update:
‎03-07-2016 01:30 PM
Updated by:
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.