Controller Based WLANs

How to configure site to site VPN for dynamically addressed peers

by on ‎07-18-2014 05:57 AM

Introduction :

 

When Site to Site VPN is configured between the data center and remote branches, some controllers at the remote sites may not have static IP address on their uplink, such as the controller uplink is a PPPoE link, or behind a cable modem, or is a 3G/4G link. In this case, static peer IP address for Site to Site VPN configuration won't be feasible, dynamic peer address has to be used.

 

Feature Notes :

 

  • IKE Aggressive-Mode with authentication based on Pre-Shared-Key is used for Site to Site VPN with dynamically addressed peers.
  • IKE Main-Mode is used for Site to Site VPN with statically addressed peers.
  • IKE Main-Mode with certificates will NOT be supported for Dynamic IP peers.

Configuration Steps :

 

Here is a sample configuration on the data center controller and on the remote site controller:

On the data center (Hub) controller:

  1. Responder with unique map per peer

crypto-local isakmp key "******" fqdn 100
crypto ipsec transform-set default-aes esp-aes256 esp-sha-hmac

crypto-local ipsec-map dyn-sts 100
  peer-ip 0.0.0.0
  peer-fqdn fqdn-id 100
  vlan 0
  src-net 192.168.199.0 255.255.255.0
  dst-net 192.168.5.0 255.255.255.0
  set transform-set "default-transform"
  pre-connect enable
  trusted enable
  force-natt enable

        2. Responder with one map for All peers.

crypto-local isakmp key "******" fqdn-any
crypto ipsec transform-set default-aes esp-aes256 esp-sha-hmac

crypto-local ipsec-map dyn-sts 100
  peer-ip 0.0.0.0
  peer-fqdn any-fqdn
  vlan 0
  src-net 192.168.199.0 255.255.255.0
  dst-net 192.168.5.0 255.255.255.0
  set transform-set "default-transform"
  pre-connect enable
  trusted enable
  force-natt enable


On the remote site (Spoke) controller:
crypto-local isakmp key "******" address 10.163.188.10 netmask 255.255.255.255
crypto ipsec transform-set default-aes esp-aes256 esp-sha-hmac

crypto-local ipsec-map dyn-sts 100
  peer-ip 10.163.188.10
  local-fqdn 100
  vlan 0
  src-net 192.168.5.0 255.255.255.0
  dst-net 192.168.199.0 255.255.255.0
  set transform-set "default-transform"
  pre-connect enable
  trusted enable
  force-natt enable

Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.