In general, the Aruba controller with a dynamic IP address must be configured to
be the initiator of IKE Aggressive-mode for Site-Site VPN, while the controller with a static IP address must be
configured as the responder of IKE Aggressive-mode.
Configure Aruba 620 with UML 290 as VPN initiator it could not initiate ike sessions from CELL interface.
The cell interface is a ppp0 interface and is not a part of any valid vlan and there is no option to map cell interface in uplink.
As a work around we can set IPSec tunnel with Controller “with USB modem” as “responder” as we cannot define “CELL”interface in cryptol-local ipsec-map and because of which it was not initiating IKE.
In case if the cell interface ip address is dynamic, we can contact the vendor and get a static IP configured. Aruba had already paid a one time fee for unlimited static IP's for known vendors (verizon). We need to provide them a SIM card number to setup a static IP.
Developers are already working on it to find an enhancement to accommodate the Cell interface to be configured instead of the vlan.
(Aruba620) #show uplink
Uplink Manager: Enabled
Uplink Management Table
-----------------------
Id Uplink Type Properties Priorty State Status
-- ----------- ---------- ------- ----- ------
1 Wired vlan 1 200 Initializing Waiting for link
2 Cellular Pantech_UML290 100 Connected * Active *
#show uplink config
Uplink Manager: Enabled
Default Wired Priority: 200
Default Cellular Priority: 255
First time when 4g is plugged in:
(Aruba620) #show ip interface brief
Interface IP Address / IP Netmask Admin Protocol
vlan 402 10.100.249.1 / 255.255.255.0 up up
vlan 1 unassigned / unassigned up down
CELL 10.185.250.238 / 255.255.255.252 up up
loopback unassigned / unassigned up up
mgmt unassigned / unassigned down down
Unplugged and Second time when 4g is plugged in :
(Aruba620) # show ip interface broief ief
Interface IP Address / IP Netmask Admin Protocol
vlan 402 10.100.249.1 / 255.255.255.0 up up
vlan 1 unassigned / unassigned up down
CELL 10.170.113.83 / 255.255.255.248 up up
loopback unassigned / unassigned up up
mgmt unassigned / unassigned down down
show log security 10
Jul 25 15:37:40 <isakmpd 399816> <ERRS> |ike| Vlan 1 is not configured yet
Jul 25 15:37:40 <isakmpd 103061> <ERRS> |ike| vlan 1 is not configured yet
Jul 25 15:38:01 <isakmpd 399816> <ERRS> |ike| Vlan 1 is not configured yet
Jul 25 15:38:01 <isakmpd 103061> <ERRS> |ike| vlan 1 is not configured yet
Jul 25 15:38:22 <isakmpd 399816> <ERRS> |ike| Vlan 1 is not configured yet
Jul 25 15:38:22 <isakmpd 103061> <ERRS> |ike| vlan 1 is not configured yet
Jul 25 15:38:43 <isakmpd 399816> <ERRS> |ike| Vlan 1 is not configured yet
Jul 25 15:38:43 <isakmpd 103061> <ERRS> |ike| vlan 1 is not configured yet
A620 Controller:
============
crypto-local isakmp key "******" address 65.113.226.136 netmask 255.255.255.255
crypto-local isakmp key "******" fqdn command_vehicle
crypto-local isakmp key "******" fqdn any
crypto ipsec transform-set default-boc-bm-transform esp-3des esp-sha-hmac
crypto ipsec transform-set default-rap-transform esp-aes256 esp-sha-hmac
crypto ipsec transform-set default-aes esp-aes256 esp-sha-hmac
crypto dynamic-map default-dynamicmap 10000
set transform-set "default-transform" "default-aes"
!
crypto-local ipsec-map Command_Vehicle_VPN 100
peer-ip 65.113.226.136
local-fqdn arapahoe
vlan 1
src-net 10.100.249.0 255.255.255.0
dst-net 10.100.252.0 255.255.254.0
set transform-set "default-transform"
pre-connect enable
trusted enable
force-natt enable
A650 Controller:
============
crypto-local isakmp key "******" address 10.161.177.153 netmask 255.255.255.255
crypto-local isakmp key "******" address 0.0.0.0 netmask 255.255.255.255
crypto-local isakmp key "******" address 65.102.237.238 netmask 255.255.255.255
crypto-local isakmp key "******" fqdn command_vehicle
crypto-local isakmp key "******" fqdn-any
crypto ipsec transform-set default-boc-bm-transform esp-3des esp-sha-hmac
crypto ipsec transform-set default-rap-transform esp-aes256 esp-sha-hmac
crypto ipsec transform-set default-aes esp-aes256 esp-sha-hmac
crypto dynamic-map default-dynamicmap 10000
set transform-set "default-transform" "default-aes"
!
crypto-local ipsec-map Command_Vehicle_VPN 100
peer-ip 0.0.0.0
peer-fqdn fqdn-id arapahoe
vlan 3
src-net 10.100.252.0 255.255.254.0
dst-net 10.100.249.0 255.255.255.0
set transform-set "default-transform"
pre-connect enable
trusted enable
force-natt enable