Controller Based WLANs

What is the double-encrypt option on a remote access point?

by on ‎07-03-2014 11:05 AM

Product and Software: This article applies to all Aruba controllers and ArubaOS 3.x.


The double-encrypt option is applicable for remote access points (RAPs). By default, it is disabled.

1. In disabled mode (the default mode), all non-GRE traffic, that is, PAPI traffic, is encrypted by IPsec by using the encryption method configured for that RAP. All GRE traffic, such as, the user data and bootstrap heartbeat, is not encrypted by IPsec, but is still encapsulated by IPsec.

2. In enabled mode, all traffic is encrypted by IPsec. That means all wireless traffic that has been encrypted using WPA, WPA2, or WEP is encrypted again by IPsec, which is why it is called double encryption. The disadvantage of double encryption is that it drops the maximum throughput to 2 Mb/s only for legacy APs because all the IPsec encryption is done by software, not hardware. So the best scenario to enable double encryption is when SSID of the RAP use null encryption (opensystem) for the wireless traffic.

Search Airheads
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.