Controller Based WLANs

 View Only
last person joined: one year ago 

APs, Controllers, VIA
Back to Library

How to setup Site to site to VPN using 4g uplink 

Jul 10, 2014 05:48 PM

Question How to setup Site to site to VPN using 4g uplink
Environment A650 ==> Firewall ==> A620 (4g uplink- dynamic ip)

 

In general, the Aruba controller with a dynamic IP address must be configured to
be the initiator of IKE Aggressive-mode for Site-Site VPN, while the controller with a static IP address must be
configured as the responder of IKE Aggressive-mode.
 
Configure Aruba 620 with UML 290 as VPN initiator it could not initiate ike sessions from CELL interface. 
The cell interface is a ppp0 interface and is not a part of any valid vlan and there is no option to map cell interface in uplink.
 
As a work around we can set IPSec tunnel with Controller “with USB modem” as “responder” as we cannot define “CELL”interface in cryptol-local ipsec-map and because of which it was not initiating IKE.
 
In case if the cell interface ip address is dynamic, we can contact the vendor and get a static IP configured. Aruba had already paid a one time fee for unlimited static IP's for known vendors (verizon). We need to provide them a SIM card number to setup a static IP.
Developers are already working on it to find an enhancement to accommodate the Cell interface to be configured instead of the vlan. 
 
(Aruba620) #show uplink 
 
Uplink Manager: Enabled
 
Uplink Management Table
-----------------------
Id  Uplink Type  Properties      Priorty  State         Status
--  -----------  ----------      -------  -----         ------
1   Wired        vlan 1          200      Initializing  Waiting for link
2   Cellular     Pantech_UML290  100      Connected     * Active *
 
#show uplink config  
 
Uplink Manager: Enabled
 
Default Wired Priority:  200
Default Cellular Priority: 255
 
First time when 4g is plugged in:
 
(Aruba620) #show ip interface brief
 
Interface IP Address / IP Netmask Admin Protocol
vlan 402 10.100.249.1 / 255.255.255.0 up up 
vlan 1 unassigned / unassigned up down
CELL 10.185.250.238 / 255.255.255.252 up up 
loopback unassigned / unassigned up up 
mgmt unassigned / unassigned down down
 
Unplugged and Second time when 4g is plugged in :
 
(Aruba620) # show ip interface broief ief 
 
Interface IP Address / IP Netmask Admin Protocol
vlan 402 10.100.249.1 / 255.255.255.0 up up 
vlan 1 unassigned / unassigned up down
CELL 10.170.113.83 / 255.255.255.248 up up 
loopback unassigned / unassigned up up 
mgmt unassigned / unassigned down down
 
 
show log security 10
 
Jul 25 15:37:40 <isakmpd 399816>  <ERRS> |ike|  Vlan 1 is not configured yet 
Jul 25 15:37:40 <isakmpd 103061>  <ERRS> |ike|   vlan 1 is not configured yet 
Jul 25 15:38:01 <isakmpd 399816>  <ERRS> |ike|  Vlan 1 is not configured yet 
Jul 25 15:38:01 <isakmpd 103061>  <ERRS> |ike|   vlan 1 is not configured yet 
Jul 25 15:38:22 <isakmpd 399816>  <ERRS> |ike|  Vlan 1 is not configured yet 
Jul 25 15:38:22 <isakmpd 103061>  <ERRS> |ike|   vlan 1 is not configured yet 
Jul 25 15:38:43 <isakmpd 399816>  <ERRS> |ike|  Vlan 1 is not configured yet 
Jul 25 15:38:43 <isakmpd 103061>  <ERRS> |ike|   vlan 1 is not configured yet
 
A620 Controller:
============
 
crypto-local isakmp key "******" address 65.113.226.136 netmask 255.255.255.255
crypto-local isakmp key "******" fqdn command_vehicle
crypto-local isakmp key "******" fqdn any
crypto ipsec transform-set default-boc-bm-transform esp-3des esp-sha-hmac
crypto ipsec transform-set default-rap-transform esp-aes256 esp-sha-hmac
crypto ipsec transform-set default-aes esp-aes256 esp-sha-hmac
crypto dynamic-map default-dynamicmap 10000
  set transform-set "default-transform" "default-aes" 
!
 
crypto-local ipsec-map Command_Vehicle_VPN 100
  peer-ip 65.113.226.136
  local-fqdn arapahoe
  vlan 1
  src-net 10.100.249.0 255.255.255.0
  dst-net 10.100.252.0 255.255.254.0
  set transform-set "default-transform" 
  pre-connect enable
  trusted enable
  force-natt enable
 
A650 Controller:
============
 
crypto-local isakmp key "******" address 10.161.177.153 netmask 255.255.255.255
crypto-local isakmp key "******" address 0.0.0.0 netmask 255.255.255.255
crypto-local isakmp key "******" address 65.102.237.238 netmask 255.255.255.255
crypto-local isakmp key "******" fqdn command_vehicle
crypto-local isakmp key "******" fqdn-any
crypto ipsec transform-set default-boc-bm-transform esp-3des esp-sha-hmac
crypto ipsec transform-set default-rap-transform esp-aes256 esp-sha-hmac
crypto ipsec transform-set default-aes esp-aes256 esp-sha-hmac
crypto dynamic-map default-dynamicmap 10000
  set transform-set "default-transform" "default-aes" 
!
 
crypto-local ipsec-map Command_Vehicle_VPN 100
  peer-ip 0.0.0.0
  peer-fqdn fqdn-id arapahoe
  vlan 3
  src-net 10.100.252.0 255.255.254.0
  dst-net 10.100.249.0 255.255.255.0
  set transform-set "default-transform" 
  pre-connect enable
  trusted enable
  force-natt enable

Statistics
0 Favorited
0 Views
0 Files
0 Shares
0 Downloads

Related Entries and Links

No Related Resource entered.