Remote Networking

Reply

RAP initial setup questions

All,

I'm working on configuring my first RAP-2 on a 5.0.3.0 install. I have opened UDP port 4500 on our firewall.

I'm receiving the following error:

RC_ERROR_IKEP2_PKT1

I'm trying to setup the RAP in a branch office scenario based on the 5.0 user guide, but I'm sure I'm missing something. My ideal setup would be to extend the same SSIDs that are on our campus to off-campus locations.

I've added the following to the configuration:

ap system-profile "Master-RAP-System-Profile"
lms-ip ***.***.191.253
bkup-lms-ip ***.***.191.253
native-vlan-id 342
rap-local-network-access

ap-group "Mobile-RAP-AP-Group"
virtual-ap "Master-VAP"
dot11a-radio-profile "Radio-802.11a"
dot11g-radio-profile "Radio-802.11g"
ap-system-profile "Master-RAP-System-Profile"

wlan virtual-ap "Master-VAP"
aaa-profile "Portal-AAA"
ssid-profile "Testing" (existing, works on campus)
vlan 342
forward-mode bridge
rap-operation persistent
broadcast-filter all
broadcast-filter arp

I added a username, rap-role, and placed that username in the RAP whitelist with the RAP-2 MAC address.

I enabled L2TP with PAP

I added an ip pool in the same range as the VLAN for the Virtual AP, in this case 342.

I applied the following policy to the rap-role:

ip access-list session rap_policy
any any svc-papi permit
any any svc-l2tp permit
any any svc-gre permit
any any svc-esp permit
any any svc-tftp permit
any any svc-ftp permit

Any help to get this started would definitely be appreciated.

Thanks!

-Mike
Guru Elite

Re: RAP initial setup questions

That message means that the first IKE packet is not reaching the controller. It is normally a routing/firewall issue between the RAP and the controller.

You can leave the LMS-IP and backup LMS-IP blank in a single-controller deployment.

I hope that the SSID profile connected to "testing" is not a Captive Portal SSID, because that is not supported with Virtual AP type "Bridge".

Last, but not least, you do not have to setup a RAP policy or a RAP role.

Your only problem seems to be lack of connectivity to the controller. Are you using a firewall to do a 1:1 static NAT or does the controller have a physical public leg on the internet?


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Re: RAP initial setup questions

Hi Colin,

Yep, the controller has a public IP address. We've also opened UDP port 4500 (NAT-T) for the device. Does it also need to have ISAKMP opened on the firewall?

That's a good catch. Actually that SSID is a captive portal. I'll try switching it to our 802.1X SSID to see if that makes a difference.

You stated that a username is not required. Basically, the only thing that you'll need to do is whitelist the MAC address of the RAP and you should be good to go?

Thanks for your help!

-Mike
Guru Elite

Re: RAP initial setup questions

Just as a test, please open up Ping and see if the controller responds to a ping from the outside. If it does not, you have a firewall/routing configuration issue outside of the controller.

Yes, you only need to whitelist the mac address and create a VPN pool for the incoming RAPs if you are using a RAP2 or a RAP5.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Re: RAP initial setup questions

Hi Colin,

I did as you suggested and allowed full outside connectivity to the server. I then ran an nmap scan on the device and it came back with a full TCP / UDP list of ports. I then placed the device back in a firewall rule set and ran the following command:

nmap -sU -p 4500 -v -PN

The results showed the following ports were available:

4500/udp open|filtered nat-t-ike

Is there something I should verify to make sure that VPN / IPSec transport is functioning on the controller?

As always, thanks for your continued help!

-Mike
Guru Elite

Re: RAP initial setup questions

Yes,

Initiate the RAP connection and while you are doing that do a "show datapath session table | include 4500" and see if you see the external NAT-T session initated:

(3600.arubanetworks.com) #show datapath session table | include 4500
10.69.69.16 98.219.86.231 17 4500 10000 0/0 0 0 0 1/3 8b F
10.69.69.16 98.193.77.91 17 4500 4214 0/0 0 0 2 1/3 1f FY
71.233.172.135 10.69.69.16 17 4500 4500 0/0 0 0 0 1/3 8143 FC
66.30.170.140 10.69.69.16 17 4500 4500 0/0 0 0 0 1/3 8a FC
75.94.247.108 10.69.69.16 17 40030 4500 0/0 0 0 0 1/3 8c FC
10.69.69.16 69.242.121.253 17 4500 10000 0/0 0 0 0 1/3 89 F
24.15.147.102 10.69.69.16 17 4500 4500 0/0 0 0 0 1/3 8c FC
116.49.134.17 10.69.69.16 17 24069 4500 0/0 0 0 0 1/3 8c FC
70.123.143.29 10.69.69.16 17 1026 4500 0/0 0 0 0 1/3 8c FC


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Re: RAP initial setup questions

Colin,

Yep, I see the off site connection (I added the asterisks):

24.125.**.63 ***.***.191.253 17 4500 4500 0/0 0 0 0 1/0 8 FC
***.***.191.253 24.125.**.63 17 4500 4500 0/0 0 0 1 1/0 8 F

-Mike
Guru Elite

Re: RAP initial setup questions

Okay let's see what else is going on:

type "show crypto ipsec sa" to see if any security associations or connections are made. If not, turn on logging:

logging level debugging security subcat ike
logging level debugging security process aaa
logging level debugging security process authmgr


Then type "show log security 50" to see what messages are there.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Re: RAP initial setup questions

Colin,

Thanks for your continued help. Here's the output from the debug commands:

Jan 15 16:01:23 :124004: |authmgr| RX (sock) message of type 66, len 740
Jan 15 16:01:23 :124004: |authmgr| auth_user_query_raw: recvd request user:00:0b:86:c3:74:4d ip:410862655 cookie:1946169279
Jan 15 16:01:23 :124004: |authmgr| Setting auth subtype 'EAP-LEAP' for user 24.125.68.63, client VPN
Jan 15 16:01:23 :124004: |authmgr| Setting auth type 'VPN' for user 24.125.68.63, client VPN
Jan 15 16:01:23 :124004: |authmgr| Setting authstate 'started' for user 24.125.68.63, client VPN
Jan 15 16:01:23 :124004: |authmgr| aal_authenticate user:00:0b:86:c3:74:4d vpnflags:1
Jan 15 16:01:23 :124004: |authmgr| ncfg_auth_server_group_authtype ip=24.125.68.63, method=VPN vpnflags:1
Jan 15 16:01:23 :124004: |authmgr| ncfg_auth_server_group_authtype vpnflags:1 vpn-profile:default-rap
Jan 15 16:01:23 :124004: |authmgr| ip=24.125.68.63, sg=internal
Jan 15 16:01:23 :124004: |authmgr| aal_authenticate server_group:internal
Jan 15 16:01:23 :124004: |authmgr| ncfg_auth_server_group_authtype ip=24.125.68.63, method=VPN vpnflags:1
Jan 15 16:01:23 :124004: |authmgr| ncfg_auth_server_group_authtype vpnflags:1 vpn-profile:default-rap
Jan 15 16:01:23 :124004: |authmgr| ip=24.125.68.63, sg=internal
Jan 15 16:01:23 :124004: |authmgr| Select server for method=VPN, user=00:0b:86:c3:74:4d, essid=<>, server-group=internal, last_srv <>
Jan 15 16:01:23 :124004: |authmgr| server=Internal, ena=1, ins=1 (1)
Jan 15 16:01:23 :124038: |authmgr| Selected server Internal for method=VPN; user=00:0b:86:c3:74:4d, essid=<>, domain=<>, server-group=internal
Jan 15 16:01:23 :124004: |authmgr| Rx message 62/63, length 2963 from 137.113.191.253:8344
Jan 15 16:01:23 :124003: |authmgr| Authentication result=Authentication Successful(0), method=VPN, server=Internal, user=24.125.68.63
Jan 15 16:01:23 :124004: |authmgr| Auth server 'Internal' response=0
Jan 15 16:01:23 :124004: |authmgr| Setting authserver 'Internal' for user 24.125.68.63, client VPN
Jan 15 16:01:23 :124004: |authmgr| auth_user_query_resp: response user:00:0b:86:c3:74:4d ip:410862655 cookie:1946169279
Jan 15 16:01:23 :124004: |authmgr| {L3} Authenticating Server is Internal
Jan 15 16:01:23 :124004: |authmgr| Matching `internal' rules to derive role ...
Jan 15 16:01:23 :124004: |authmgr| rule: set role condition Role value-of
Jan 15 16:01:23 :124004: |authmgr| Value Pair to match User-Name : 00:0b:86:c3:74:4d
Jan 15 16:01:23 :124004: |authmgr| Value Pair to match E-Mail :
Jan 15 16:01:23 :124004: |authmgr| Value Pair to match Role :
Jan 15 16:01:23 :124004: |authmgr| Rule matched! Result string is ''
Jan 15 16:01:23 :124004: |authmgr| auth_user_query_resp vpnflags:1
Jan 15 16:01:23 :124004: |authmgr| Framed IP: found 0x0 (mask 0xffffffff)
Jan 15 16:01:23 :103045: |ike| IKE: Failed to get address from L2TP

It looks like the last line, failed to get address from L2TP might be leading us in the right direction.

So, I just looked at my address pool statement under: Advanced Services > VPN Services > IPSEC - and it wasn't there. That might be an issue. A follow up question about the pool. Does the pool have to be part of my routable block? Or, can it be an arbitrary range?

Thanks!

-Mike
Guru Elite

Re: RAP initial setup questions

Does not have to be routable. Yes, a VPN pool is crucial.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: