Product and Software: This article applies to all Aruba controllers and ArubaOS 3.x.
The double-encrypt option is applicable for remote access points (RAPs). By default, it is disabled.
1. In disabled mode (the default mode), all non-GRE traffic, that is, PAPI traffic, is encrypted by IPsec by using the encryption method configured for that RAP. All GRE traffic, such as, the user data and bootstrap heartbeat, is not encrypted by IPsec, but is still encapsulated by IPsec.
2. In enabled mode, all traffic is encrypted by IPsec. That means all wireless traffic that has been encrypted using WPA, WPA2, or WEP is encrypted again by IPsec, which is why it is called double encryption. The disadvantage of double encryption is that it drops the maximum throughput to 2 Mb/s only for legacy APs because all the IPsec encryption is done by software, not hardware. So the best scenario to enable double encryption is when SSID of the RAP use null encryption (opensystem) for the wireless traffic.