How to configure basic IAP VPN Controller Configuration

Aruba Employee

IAP VPN set up.

 

How to configure basic IAP VPN Controller Configuration

 

 

Head-end controller configuration

 

----------------------------------------------

 

 

 

In the IAP VPN deployment model, the Aruba controller is the VPN termination point and will not be used to provision the IAP.

 

The configuration for WLAN profiles happens on the IAP VC itself.

 

 

 

There are just two steps that are required to provision the VPN controller:
 

 

1. Add VC’s MAC address to the whitelist on the controller using the following command. The ap-group is not important and can be 'default'

 

 

 

(TME-RAPNG) #local-userdb-ap add mac-address d8:c7:c8:c4:43:19 ap-group default

 

To check if the IAP virtual controller is in the whitelist, execute the following CLI command on the controller:
 

 

(TME-RAPNG) # show local-userdb-ap

 

AP-entry Details

 

Name AP-Group AP-Name Full-Name Authen-Username Revoke-Text AP_Authenticated Description Date-Added Enabled Remote-IP

 

-------- ------- --------- --------------- ----------- ---------------- ----------- ---------- ------- ---------

 

d8:c7:c8:c4:43:19 default d8:c7:c8:c4:43:19 shashiIAP Provisioned Mon Apr 30 05:24:11 2012 Yes 0.0.0.0

 

AP Entries: 1

 

 

 

2. Create a IAP VC (RAP) VPN tunnel pool

 

Note that this can be default-vpn-role as well unless you want to define the controller as a RADIUS proxy

 

ip access-list session IAProle

 

any any any  permit

 

 

 

user-role IAProle

 

access-list session IAProle

 

 

 

ip local pool IAPpool 172.16.10.10 172.16.10.20

 

 

 

aaa authentication vpn default-iap

 

 default-role IAProle

 

 

 

Simultate the corporate network behind the controller

 

To simulate the internal corporate network, I have created VLAN 246 that only exists on my controller (VPN terminator). It can only be reached from the client at the branch if the VPN tunnel from the IAP to the controller is up.
 

 

On the controller: 

 

interface vlan 246

 

       ip address 10.169.246.1 255.255.255.0

 

       operstate up

 

 

 

Check that the IAP authenticates to the controller:

 

Apr 30 08:21:13  isakmpd[1586]: <103063> <DBUG> |ike|  10.68.9.58:4500-> validate_issuer: trying certs:3 CA cert-chain Aruba-Factory-CA blob:0x101d0ec4 blob-len:1009

 

Apr 30 08:21:13  isakmpd[1586]: <103076> <INFO> |ike|  IKEv2 IPSEC Tunnel created for peer 10.68.9.58:4500

 

Apr 30 08:21:13  isakmpd[1586]: <103077> <INFO> |ike|  IKEv2 IKE_SA succeeded for peer 10.68.9.58:4500

 

Apr 30 08:21:13  isakmpd[1586]: <103078> <INFO> |ike|  IKEv2 CHILD_SA successful for peer 10.68.9.58:4500

 

Apr 30 08:21:13  isakmpd[1586]: <103082> <INFO> |ike|  IKEv2 Client-Authentication succeeded for 172.16.10.14 (External 10.68.9.58) for IAProle

 

Apr 30 08:21:13  l2tp[1630]: <199800> <DBUG> |l2tp|  shared_cli.c, shared_cli_get_addr:1279:  Caller:ike Allocated IP address 172.16.10.14 pool:IAPpool

 

Apr 30 08:21:13  localdb[1598]: <133004> <INFO> |localdb|  Received Authentication Request for User d8:c7:c8:c4:43:19

 

Apr 30 08:21:13  localdb[1598]: <133005> <INFO> |localdb|  User d8:c7:c8:c4:43:19  Successfully Authenticated

 

 

 

Check if the IAP is in the whitelist and that the tunnel is up:

 

 

 

(TME-RAPNG) #show iap table

 

Branch Key Index Status Inner IP MAC Address

 

----- ------ -------- -----------

 

e243e802019c4937fe582bc8fe74da9c22f157ef4d15612989 0 UP 172.16.10.13 d8:c7:c8:c4:43:19

 

Check that the IKE and IPsec tunnel are up on the controller: 

 

(TME-RAPNG) #show crypto isakmp sa

 

ISAKMP SA Active Session Information

 

Initiator IP Responder IP Flags Start Time Private IP

 

------------ ----- --------------- ----------

 

10.68.9.58 10.169.240.10 r-v2-c-I Apr 30 06:02:55 172.16.10.13

 

Flags: i = Initiator; r = Responder

 

      m = Main Mode; a = Agressive Mode v2 = IKEv2

 

      p = Pre-shared key; c = Certificate/RSA Signature; e =  ECDSA Signature

 

      x = XAuth Enabled; y = Mode-Config Enabled; E = EAP Enabled

 

      3 = 3rd party AP; C = Campus AP; R = RAP; I = IAP

 

      V = VIA; S = VIA over TCP

 

 

 

Total ISAKMP SAs: 1

 

 

 

(TME-RAPNG) #show crypto ipsec sa

 

 

 

IPSEC SA (V2) Active Session Information

 

 

 

Initiator IP Responder IP SPI(IN/OUT) Flags Start Time Inner IP

 

------------ ---------------- ----- --------------- --------

 

 

 

10.68.9.58 10.169.240.10 68731f00/83d5af00 UT2 Apr 30 06:02:56 172.16.10.13

 

 

 

Flags: T = Tunnel Mode; E = Transport Mode; U = UDP Encap

 

 

 

      L = L2TP Tunnel; N = Nortel Client; C = Client; 2 = IKEv2

 

 

 

Total IPSEC SAs: 1

 

 

 

(TME-RAPNG) #

 

 

 

To check the tunnel stats for encrypted and decrypted traffic: 

 

(TME-RAPNG) #show datapath tunnel

 

Datapath Tunnel Table Statistics

 

Current Entries 11 Pending Deletes 0 High Water Mark 11 Maximum Entries 16383 Total Entries 20 Allocation Failures 0 Max link length 1

 

Datapath Tunnel Table Entries

 

 

 

Flags: E - Ether encap, I - Wi-Fi encap, R - Wired tunnel, F - IP fragment OK

 

 

 

      W - WEP,  K - TKIP,  A - AESCCM,  G - AESGCM,  M - no mcast src filtering

 

      S - Single encrypt,  U - Untagged,  X - Tunneled node,  1(cert-id) - 802.1X Term-PEAP

 

      2(cert-id) - 802.1X Term-TLS,  T - Trusted,  L - No looping, d - Drop Bcast/Mcast,

 

      D - Decrypt tunnel,  a - Reduce ARP packets in the air, e - EAPOL only

 

      C - Prohibit new calls, P - Permanent, m - Convert multicast

 

      n - Don't convert IPv6 Mcast RA to Ucast, s - Split tunnel

 

 

 

#       Source       Destination    Prt  Type  MTU   VLAN       Acls           BSSID          Decaps     Encaps   Heartbeats Cpu QSz Flags

 

--- -------------- -------------- --- ---- ---- ---- -------------- ----------------- ---------- ---------- ---------- --- --- -----

 

 12 10.169.240.10 172.16.10.13 47 1 1100 0 0 0 1 00:00:00:00:00:00 0 0 0 12 0 TEFPR 9 SPI68731F00 in 10.169.240.10 50 IPSE 1500 0 routeDest 0000 491 0 10 SPI83D5AF00out 10.68.9.58 50 IPSE 1500 0 routeDest 0000 0 948

 



 

Version history
Revision #:
1 of 1
Last update:
‎06-26-2014 04:25 PM
Updated by:
 
Labels (1)
Contributors
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: