Security

Reply
Frequent Contributor II

IPsec between CPPM nodes

Hello community,

 

I'm planning to setup a cluster with two CPPM nodes. These nodes will be located in two different sites with cluster sync happen over the Internet, so I would like to protect cluster traffic using IPsec tunnel (available in CPPM configuration).

 

What concerns me is that will CPPM forward all their traffic (including LDAP query, NTP synchronization, RADIUS response...) through this tunnel? Will it be smart enough (or by design) to only include cluster traffic in the tunnel, and exclude all others?

 

Thank you, 

Guru Elite

Re: IPsec between CPPM nodes

Have you read the ClearPass ipsec tech note on the page here?

https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Default.aspx?EntryId=7961

 

The host to host connection is what you are looking for.  It should only encrypt traffic between the CPPM devices.  Since NTP, Radius and LDAP point to other hosts, they should not go over the tunnel.

******************
Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.
******************
Frequent Contributor II

Re: IPsec between CPPM nodes

Hi Colin,

 

Yes, I've read it. But it doesn't clearly state how CPPM will handle which traffic going through the tunnel, just how to set things up. 

 

In summary, I only need to create the tunnel per the steps documented in that tech note, and everything between CPPM nodes will be protected. All other traffic will not be impacted. Is that correct?

 

Thank you,

Guru Elite

Re: IPsec between CPPM nodes

If you configure the instructions under "host to host", only traffic between the hosts should be encrypted.

******************
Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.
******************
Frequent Contributor II

Re: IPsec between CPPM nodes

Hi,

 

Thank you for your quick reply. There's one more thing I want to clarify. There will be a NAT device between these nodes. Would the connection being successfully established?

 

Thank you,

Guru Elite

Re: IPsec between CPPM nodes

You would need to do NAT translation and allow ipsec for that to work.  The destination address must be answerable by the destination device.

******************
Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.
******************
Frequent Contributor II

Re: IPsec between CPPM nodes

Hi,

 

Looks like we have to join cluster first before setting up IPsec tunnel between CPPM nodes. When I tried doing it the other way around (bring up IPsec first), the cluster joining process simply failed and it even reset the subscriber to factory default (which means deleting Policy Manager license on the subscriber). Any ideas?

 

Thank you,

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: