IAP VPN set up.
How to configure basic IAP VPN Controller Configuration
Head-end controller configuration
----------------------------------------------
In the IAP VPN deployment model, the Aruba controller is the VPN termination point and will not be used to provision the IAP.
The configuration for WLAN profiles happens on the IAP VC itself.
There are just two steps that are required to provision the VPN controller:
1. Add VC’s MAC address to the whitelist on the controller using the following command. The ap-group is not important and can be 'default'
(TME-RAPNG) #local-userdb-ap add mac-address d8:c7:c8:c4:43:19 ap-group default
To check if the IAP virtual controller is in the whitelist, execute the following CLI command on the controller:
(TME-RAPNG) # show local-userdb-ap
AP-entry Details
Name AP-Group AP-Name Full-Name Authen-Username Revoke-Text AP_Authenticated Description Date-Added Enabled Remote-IP
-------- ------- --------- --------------- ----------- ---------------- ----------- ---------- ------- ---------
d8:c7:c8:c4:43:19 default d8:c7:c8:c4:43:19 shashiIAP Provisioned Mon Apr 30 05:24:11 2012 Yes 0.0.0.0
AP Entries: 1
2. Create a IAP VC (RAP) VPN tunnel pool
Note that this can be default-vpn-role as well unless you want to define the controller as a RADIUS proxy
ip access-list session IAProle
any any any permit
user-role IAProle
access-list session IAProle
ip local pool IAPpool 172.16.10.10 172.16.10.20
aaa authentication vpn default-iap
default-role IAProle
Simultate the corporate network behind the controller
To simulate the internal corporate network, I have created VLAN 246 that only exists on my controller (VPN terminator). It can only be reached from the client at the branch if the VPN tunnel from the IAP to the controller is up.
On the controller:
interface vlan 246
ip address 10.169.246.1 255.255.255.0
operstate up
Check that the IAP authenticates to the controller:
Apr 30 08:21:13 isakmpd[1586]: <103063> <DBUG> |ike| 10.68.9.58:4500-> validate_issuer: trying certs:3 CA cert-chain Aruba-Factory-CA blob:0x101d0ec4 blob-len:1009
Apr 30 08:21:13 isakmpd[1586]: <103076> <INFO> |ike| IKEv2 IPSEC Tunnel created for peer 10.68.9.58:4500
Apr 30 08:21:13 isakmpd[1586]: <103077> <INFO> |ike| IKEv2 IKE_SA succeeded for peer 10.68.9.58:4500
Apr 30 08:21:13 isakmpd[1586]: <103078> <INFO> |ike| IKEv2 CHILD_SA successful for peer 10.68.9.58:4500
Apr 30 08:21:13 isakmpd[1586]: <103082> <INFO> |ike| IKEv2 Client-Authentication succeeded for 172.16.10.14 (External 10.68.9.58) for IAProle
Apr 30 08:21:13 l2tp[1630]: <199800> <DBUG> |l2tp| shared_cli.c, shared_cli_get_addr:1279: Caller:ike Allocated IP address 172.16.10.14 pool:IAPpool
Apr 30 08:21:13 localdb[1598]: <133004> <INFO> |localdb| Received Authentication Request for User d8:c7:c8:c4:43:19
Apr 30 08:21:13 localdb[1598]: <133005> <INFO> |localdb| User d8:c7:c8:c4:43:19 Successfully Authenticated
Check if the IAP is in the whitelist and that the tunnel is up:
(TME-RAPNG) #show iap table
Branch Key Index Status Inner IP MAC Address
----- ------ -------- -----------
e243e802019c4937fe582bc8fe74da9c22f157ef4d15612989 0 UP 172.16.10.13 d8:c7:c8:c4:43:19
Check that the IKE and IPsec tunnel are up on the controller:
(TME-RAPNG) #show crypto isakmp sa
ISAKMP SA Active Session Information
Initiator IP Responder IP Flags Start Time Private IP
------------ ----- --------------- ----------
10.68.9.58 10.169.240.10 r-v2-c-I Apr 30 06:02:55 172.16.10.13
Flags: i = Initiator; r = Responder
m = Main Mode; a = Agressive Mode v2 = IKEv2
p = Pre-shared key; c = Certificate/RSA Signature; e = ECDSA Signature
x = XAuth Enabled; y = Mode-Config Enabled; E = EAP Enabled
3 = 3rd party AP; C = Campus AP; R = RAP; I = IAP
V = VIA; S = VIA over TCP
Total ISAKMP SAs: 1
(TME-RAPNG) #show crypto ipsec sa
IPSEC SA (V2) Active Session Information
Initiator IP Responder IP SPI(IN/OUT) Flags Start Time Inner IP
------------ ---------------- ----- --------------- --------
10.68.9.58 10.169.240.10 68731f00/83d5af00 UT2 Apr 30 06:02:56 172.16.10.13
Flags: T = Tunnel Mode; E = Transport Mode; U = UDP Encap
L = L2TP Tunnel; N = Nortel Client; C = Client; 2 = IKEv2
Total IPSEC SAs: 1
(TME-RAPNG) #
To check the tunnel stats for encrypted and decrypted traffic:
(TME-RAPNG) #show datapath tunnel
Datapath Tunnel Table Statistics
Current Entries 11 Pending Deletes 0 High Water Mark 11 Maximum Entries 16383 Total Entries 20 Allocation Failures 0 Max link length 1
Datapath Tunnel Table Entries
Flags: E - Ether encap, I - Wi-Fi encap, R - Wired tunnel, F - IP fragment OK
W - WEP, K - TKIP, A - AESCCM, G - AESGCM, M - no mcast src filtering
S - Single encrypt, U - Untagged, X - Tunneled node, 1(cert-id) - 802.1X Term-PEAP
2(cert-id) - 802.1X Term-TLS, T - Trusted, L - No looping, d - Drop Bcast/Mcast,
D - Decrypt tunnel, a - Reduce ARP packets in the air, e - EAPOL only
C - Prohibit new calls, P - Permanent, m - Convert multicast
n - Don't convert IPv6 Mcast RA to Ucast, s - Split tunnel
# Source Destination Prt Type MTU VLAN Acls BSSID Decaps Encaps Heartbeats Cpu QSz Flags
--- -------------- -------------- --- ---- ---- ---- -------------- ----------------- ---------- ---------- ---------- --- --- -----
12 10.169.240.10 172.16.10.13 47 1 1100 0 0 0 1 00:00:00:00:00:00 0 0 0 12 0 TEFPR 9 SPI68731F00 in 10.169.240.10 50 IPSE 1500 0 routeDest 0000 491 0 10 SPI83D5AF00out 10.68.9.58 50 IPSE 1500 0 routeDest 0000 0 948