Controller Based WLANs

How to do IKEv2+Suite-B support for Master-Local/Master Redundancy on controller?

Aruba Employee
Requirement:

Requirement

To do configuration of IKEv2 and suite b for establishing IPSec tunnel between different topologies like master-local, master-master and cluster root and cluster member

Topology

 

 

 



Solution:

IKEv2 uses Three different kinds of certs

Factory certs :- Certs which are present in controller by default

RSA Customer certificates

Suite B crypto using ECDSA customer certificates

Solution has been provided on the configuration knob and at the verification knob.

 



Configuration:

When using Factory certs  no upload is required, make sure certs are present on controller using show tpm cert-info and using Custom certificates Server and trusted certificates have to be uploaded to the controller using WebUI.

From WEBUI

 

Master-Local Configuration using Factory certificates 

On Local controller

 (London) (config) #masterip <master ip> ipsec-factory-cert master-mac-1 <Macaddr of active> master-mac-2  <macaddrof standby>

On Master controller

(USA) (config) #local-factory-cert local-mac<localcontrollermac>

 

Master-Local Configuration using custom certificates

On Local Controller:-

RSA Certificates

(London) (config) #masterip <masterip> ipsec-custom-cert master-mac-1 <mastercertCN> ca-cert <trusted certname> server-cert <servercertname>

ECDSA Certificates

(London) (config) #masterip <masterip> ipsec-custom-cert master-mac-1 <mastercert CN> ca-cert <trusted certname> server-cert <servercertname>  suite-b gcm128/256

On Master Controller

RSA Certificates

(USA) (config) #local-custom-cert local-mac <localcertCN> ca-cert  <trustcertname> server-cert <servercertname>

ECDSA Certificates

(USA) (config) #local-custom-cert local-mac <localcertCN> ca-cert  <trustcertname> server-cert <servercertname> suite-b gcm128/256

 

Configuration – Master Redundancy Using Factory & Custom Certificates

(USA) (config-master-redundancy)#peer-ip-address <peerip> ipsec-factory-cert peer-mac <Maccaddress of Peer>

(USA) (config-master-redundancy)#peer-ip-address <peerip> ipsec-custom-cert peer-mac  <peercertificateCN> ca-cert <trusted certificate name> server-cert  <servercert name>

(USA) (config-master-redundancy)#peer-ip-address <peerip> ipsec-custom-cert peer-mac  <peercertificateCN> ca-cert <trusted certificate name> server-cert  <servercert name> suite-b gcm128/256

 

Configuration – Cluster Using Factory Certificates

On Cluster Member

(USA) (config) #cluster-root-ip 1<clusterrootip> ipsec-factory-cert root-mac-1 <macaddress of clusterroot>

On Cluster Root:-

(USA) (config) #cluster-member-factory-cert member-mac <member mac>

Configuration – Cluster Using Customer Certificates 

On Cluster Root

RSA Certificates

 (USA (config) #cluster-member-custom-cert member-mac <membercertificateCN> ca-cert <trustedcertname> server-cert <servercertname>

ECDSACertificates

 (USA) (config) #cluster-member-custom-cert member-mac <membercertificateCN> ca-cert <trustedcertname> server-cert <servercertname> suite-b gcm128

 

RSA Certificates

 (USA) (config) #cluster-root-ip <rootip> ipsec-custom-cert root-mac-1 <rootcertCN> ca-cert <trustedcertname> server-cert <servercertname>

ECDSA Certificates

(USA) (config) #cluster-root-ip <rootip> ipsec-custom-cert root-mac-1 <rootcertCN> ca-cert <trustedcertname> server-cert <servercertname> suite-b gcm128/256

 

 

 

 



Verification

(USA) (config) #show crypto ipsec sa 

IPSEC SA Active Session Information

-----------------------------------

Initiator IP     Responder IP     InitiatorID         ResponderID         Flags    Start Time      Inner IP

------------     ------------     -----------         -----------         -----  ---------------   --------

10.4.27.11       10.4.27.10       10.4.27.11/32       10.4.27.10/32       T      Dec  9 01:01:58     -

 

IPSEC SA (V2) Active Session Information

-----------------------------------

Initiator IP     Responder IP     SPI(IN/OUT)        Flags Start Time        Inner IP

------------     ------------     ----------------   ----- ---------------   --------

10.4.27.4        10.4.27.10       1c986200/67a58c00  UT2   Dec  9 02:24:03     -

 

Flags: T = Tunnel Mode; E = Transport Mode; U = UDP Encap

       L = L2TP Tunnel; N = Nortel Client; C = Client; 2 = IKEv2

 

Total IPSEC SAs: 2

 

USA) (config) #show crypto isakmp sa

 ISAKMP SA Active Session Information

------------------------------------

Initiator IP     Responder IP   Flags       Start Time      Private IP

------------     ------------   -----     ---------------   ----------

10.4.27.11       10.4.27.10     r-a-p     Dec  9 01:01:58          -

10.4.27.4        10.4.27.10     r-v2-c    Dec  9 02:23:55     -

 

Flags: i = Initiator; r = Responder

       m = Main Mode; a = Agressive Mode v2 = IKEv2

       p = Pre-shared key; c = Certificate/RSA Signature; e =  ECDSA Signature

       x = XAuth Enabled; y = Mode-Config Enabled; E = EAP Enabled

       3 = 3rd party AP; C = Campus AP; R = RAP

       V = VIA; S = VIA over TCP

 

Total ISAKMP SAs: 2

 

Troubleshooting commands

Show crypto ipsec sa

Show crypto isakmp sa

Show datapath session table

Show log security all

Version history
Revision #:
2 of 2
Last update:
‎05-18-2016 01:38 PM
Updated by:
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.