Why on WebUI interface under All Access Point under IPSEC section for CPSec AP it says disable however for RAPs it's enable?

Aruba Employee

QuestionWhy on WebUI interface under All Access Point under IPSEC section for CPSec AP it says disable however for RAPs it's enable?

 

Under controller WebUI interface we have option to check "All Access Points" and under that we have IPSEC section (below screen shot)

 

rtaImage.png

 

 

As above highlighted with red box; we can see IPSEC option is enable when it comes to RAP’s however when it comes to Campus AP with CPSEC enable it does not says enable.

Question: What RAP and AP with CPSEC does?
Answer: With RAP we secure both control traffic and GRE traffic however with CPSEC it’s only to secure control traffic not GRE.

Now Aruba execute sql query for displaying values in this page.
For IPSec, we read “strap” value from global_ap_table. If strap is 0 (zero) we show it as disabled and if it is 1 we show it as enabled.

Question: What is "global_ap_table"?
Answer: Is database table which maintain the AP information

#show ap database

Question: What is strap?
Answer: Strap is flag stored in global_ap_table which identifies the AP is RAP (Remote AP) or CAP (Campus AP)

Question: What is flag?
Answer: The flag will be set/filled when AP contacts the controller (i.e is sends a Hello Message to controller SAPM module) with Remote AP flag set to 1 "R" and for Campus AP its is always 0 (with or without CPSec)

Below command from controller CLI will confirm/explain that with CPSec enable how we can verify the IPSec enable.

(Aruba) #show ap database status up
 
AP Database
-----------
Name     Group    AP Type  IP Address  Status     Flags  Switch IP
----     -----    -------  ----------  ------     -----  ---------
ArubaAP  test123  105      10.10.10.2  Up 12m:7s  2      10.10.10.1
 
Flags: U = Unprovisioned; N = Duplicate name; G = No such group; L = Unlicensed
       I = Inactive; D = Dirty or no config; E = Regulatory Domain Mismatch
       X = Maintenance Mode; P = PPPoE AP; B = Built-in AP
       R = Remote AP; R- = Remote AP requires Auth; C = Cellular RAP;
       c = CERT-based RAP; 1 = 802.1x authenticated AP; 2 = Using IKE version 2
       u = Custom-Cert RAP
       M = Mesh node; Y = Mesh Recovery
 
Total APs:1

 
(Aruba) #show control-plane-security
 
Control Plane Security Profile
------------------------------
Parameter                    Value
---------                    -----
Control Plane Security       Enabled
Auto Cert Provisioning       Enabled
Auto Cert Allow All          Enabled
Auto Cert Allowed Addresses  N/A
 
(Aruba) #show datapath session table 10.10.10.2
 
  Source IP     Destination IP  Prot SPort DPort  Cntr Prio ToS Age Destination TAge Packets   Bytes      Flags
--------------  --------------  ---- ----- -----  ---- ---- --- --- ----------- ---- --------- ---------  -----
1.3.5.7         10.10.10.2      17   3555  1144   0/0     0 0   1   1/0         1f   0         0          FY
10.10.10.2      1.3.5.7         17   1144  3555   0/0     0 0   0   1/0         1f   1         60         FC
1.2.3.4         10.10.10.2      17   5353  1144   0/0     0 0   0   1/0         a    0         0          FY
10.10.10.1      10.10.10.2      47   0     0      0/0     0 0   0   1/0         2a2  351       30888      F
10.10.10.2      10.10.10.1      47   0     0      0/0     0 0   0   1/0         2a2  383       33704      FC
10.10.10.1      10.10.10.2      17   4500  4500   0/0     0 0   15  1/0         112  0         0          F
10.10.10.2      10.10.10.1      17   4500  4500   0/0     0 0   0   1/0         112  151       182304     FC
10.10.10.2      1.2.3.4         17   1144  5353   0/0     0 0   0   1/0         a    1         64         FCI
10.10.10.2      10.10.10.1      17   8209  8209   0/0     0 0   0   tunnel 11   9    13        13720      FCI
10.10.10.1      10.10.10.2      17   8222  8211   0/0     0 0   1   local       14   0         0          FCI


(Aruba) #show crypto ipsec sa
 
IPSEC SA (V2) Active Session Information
----------------------------------------
Initiator IP     Responder IP     SPI(IN/OUT)        Flags Start Time        Inner IP
------------     ------------     ----------------   ----- ---------------   --------
10.10.10.2       10.10.10.1       2ace0000/b2cd6600  UT2   Jul  8 21:28:50   10.10.10.2
 
Flags: T = Tunnel Mode; E = Transport Mode; U = UDP Encap
       L = L2TP Tunnel; N = Nortel Client; C = Client; 2 = IKEv2
 
Total IPSEC SAs: 1

Version history
Revision #:
1 of 1
Last update:
‎07-11-2014 02:01 PM
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: