Controller Based WLANs

 View Only
last person joined: one year ago 

APs, Controllers, VIA
Back to Library

How to configure Master-Local using IKEv2 (in built certificates ) for the IPSec 

Jul 04, 2014 05:48 AM

Introduction : Master-Local setup build the IPSec tunnel to exchange the control messages. By default is uses IKEv1 and aggressive mode as the first exchange. However, we can configure the Master-Local to build the IPSec tunnel using IKEv2, for which they use inbuilt certificates.

 

Network Topology :

 

Configuration Steps :

 

Master Controller configuration
=========================

- Define the Local controller MAC address

      (config) #local-factory-cert local-mac <MAC address of the local controller, can be seen under command #show switchinfo )


Local controller Configuration
=======================

- Define the Master controller MAC address

    (config) #masterip 172.16.0.254 ipsec-factory-cert master-mac-1 < MAC address of the Master controller, can be seen under command #show switchinfo )

 

Answer :

 

Master-Local setup build the IPSec tunnel to exchange the control messages. By default is uses IKEv1 and aggressive mode as the first exchange. However, we can configure the Master-Local to build the IPSec tunnel using IKEv2, for which they use inbuilt certificates.Using above configuration we can setup the IPSec tunnel using IKEv2

Verification :

 

We can confirm the IPSec is set using IKEv2 by below commands

Local
=====
(Local) #show roleinfo

switchrole:local
masterip:172.16.0.254
Certificate Type: Factory Certificates
Master MAC: 00:0b:86:6e:a2:34

(Local) #show switches

All Switches
------------
IP Address    Name   Location          Type   Model      Version        Status  Configuration State  Config Sync Time (sec)  Config ID
----------    ----   --------          ----   -----      -------        ------  -------------------  ----------------------  ---------
172.16.0.252  Local  Building1.floor1  local  Aruba3400  6.3.1.3_42233  up      UPDATE SUCCESSFUL    0                       2

(Local) #show crypto ipsec sa


IPSEC SA (V2) Active Session Information
-----------------------------------
Initiator IP     Responder IP     SPI(IN/OUT)        Flags Start Time        Inner IP
------------     ------------     ----------------   ----- ---------------   --------
172.16.0.252     172.16.0.254     d5425500/8d768400  UT2   Mar 27 15:03:53     -

Flags: T = Tunnel Mode; E = Transport Mode; U = UDP Encap
       L = L2TP Tunnel; N = Nortel Client; C = Client; 2 = IKEv2

 
Total IPSEC SAs: 1


Master
======

(Master) #show roleinfo
 
switchrole:master
 
(Master) #show switches
 
All Switches
------------
IP Address    Name      Location          Type    Model      Version        Status  Configuration State  Config Sync Time (sec)  Config ID
----------    ----      --------          ----    -----      -------        ------  -------------------  ----------------------  ---------
172.16.0.254  Master    Building1.floor1  master  Aruba3600  6.3.1.3_42233  up      UPDATE SUCCESSFUL    0                       2
172.16.0.252  Local     Building1.floor1  local   Aruba3400  6.3.1.3_42233  up      UPDATE SUCCESSFUL    8                       2
 
(Master) #show crypto ipsec sa
 
 
IPSEC SA (V2) Active Session Information
-----------------------------------
Initiator IP     Responder IP     SPI(IN/OUT)        Flags Start Time        Inner IP
------------     ------------     ----------------   ----- ---------------   --------
172.16.0.252     172.16.0.254     8d768400/d5425500  UT2   Mar 27 10:41:24     -
 
Flags: T = Tunnel Mode; E = Transport Mode; U = UDP Encap
       L = L2TP Tunnel; N = Nortel Client; C = Client; 2 = IKEv2
 

 

Statistics
0 Favorited
1 Views
0 Files
0 Shares
0 Downloads

Related Entries and Links

No Related Resource entered.