Wired Intelligent Edge

Hi all,

I'm trying to configure a site-to-site VPN between an S1500 switch (7.3.0.0) and a 3200 controller (6.3.0.0) and have a question. I want to config Tunneled Node over VPN using a *static IP* at both the switch and controller ends.

ArubaOS 7.3 UG says'Tunneled Node over VPN' is supported by using IKE Agressive Mode. The config example they offer (p. 345) shows "site-to-site VPN configured between Mobility Access Switch with a dynamic IP address and Mobility Controller with a static IP address".

Could someone show me the config example for when both ends are configured for static?

For reference, here is the example given in the UG showing "Mobility Access Switch with a dynamic IP address and Mobility Controller with a static IP address"

Mobility Access Switch:
(host) (config) #crypto-local ipsec-map here-there-vpn 100
src-net 101.1.1.1 255.255.255.0
dst-net 100.1.1.1 255.255.255.0
peer-ip 2.2.2.2
local-fqdn test@abc.com
interface vlan 2
cryto-local isakmp key secret address 2.2.2.2 netmask 255.255.255.255

Mobility Controller:
(host) (config) #crypto-local ipsec-map there-here-vpn 100
src-net 100.1.1.0 255.255.255.0
dst-net 101.1.1.0 255.255.255.0
peer-ip 0.0.0.0
peer-fqdn fqdn-id test@abc.com
vlan 2
crypto-local isakmp key secret fqdn test@abc.com

Thanks in advance!

Mike

Greetings, I am not an expert on the Aruba.  I was however able to get the Aruba to connect site-to-site with strongSwan and a Cisco ASA.  Without a map it is hard to determine what your source and destination networks are like.  Also do you have security logging setup? 

(st2-sv-aruba-1) (config) #logging level debugging security

You can then use the "show log security all" or the "show log security 50" (50 being the last number number lines in the log that I normally want to see) .  You may already be doing this.  Do the logs indicate anything special?  You may want to post them. 

My configuration for a tunnel.  You can't duplicate it in your senario, but you can glean some based on what I am doing. 

crypto-local ipsec-map SV-10 10
  version v2
  set ikev2-policy 1
  peer-ip 0.0.0.0
  peer-cert-dn "/C=US/ST=New York/L=Rome/O=AIS/OU=SecureView/CN=DT-010.info.com/emailAddress=new@old.com"
  vlan 903 (This is my outside or untrusted port vlan)
  src-net 172.22.201.0 255.255.255.0 (This is the trusted side)
  dst-net 172.16.240.36 255.255.255.252 (This is the initiator of the connection on the untrusted side)
  set transform-set "strong"
  set security-association lifetime seconds 43200
  set pfs group20
  pre-connect disable
  trusted enable
  force-natt disable
  set ca-certificate cacert_ec
  set server-certificate aruba_ec
exit

As you can see I am using certs, but PSK works as well with some changes.  This is a working configuration.  I am sure that others will add information.  I am not the expert, just a user of the product. 

Douglas

As Tunnel Node connection is established using the switch IP, make sure Mobility-Access-Switch’s IP address is in the IPSec source network and Controller’s IP address is in the IPSec destination network
 The VPN tunnel will be triggered when tunnel node starts its connection with Controller


Switch:
+++++++
crypto-local ipsec-map <name> <priority>
     src-net <ipaddr-Net-A> <mask>
     dst-net <ipaddr-Net-B> <mask>
     peer-ip <ipaddr-Peer-Gateway-B1>
     interface vlan <vlan-id>
     version v1
     pre-connect enable
     force-natt disable
!
cryto-local isakmp key <secret-key> address <ipaddr> netmask <mask>
!
ip-profile
  controller-ip vlan <id>
!
interface-profile tunneled-node-profile <TN-profile-name>
   controller-ip <ipaddr>
!
interface gigabitethernet <x/y/z>
   tunneled-node-profile <TN-profile-name>


Controller :
+++++++++++
crypto-local ipsec-map <name> <priority>
     src-net <ipaddr-Net-B> <mask>
     dst-net <ipaddr-Net-A> <mask>
     peer-ip <ipaddr-Peer-Gateway-A1>
     vlan <vlan-id>
     version v1
     trusted enable
     pre-connect enable
     force-natt disable
!
cryto-local isakmp key <secret-key> address <ipaddr> netmask <mask>
!
controller-ip vlan <id>


Verify:
1. First verify the IPSec tunnels between MAS and Controller are established
   show crypto isakmp sa
   show crypto ipsec sa

2. Check on both MAS and Controller if tunnel node connections are established
    show tunneled-node state

3. Check in Controller that users are added to the user-table
   show user

Thanks for  your help.

The controller connects to the router via a /30 PTP vlan. It also has a loopback configured (vlan 1 is shut) and the loopback IP is how it's managed.The MAS was "quicksetup" and is currently using "vlan 1" with a static IP for the management network. No loopback is configured at this time.

Does this look like the correct values (in abstract) for the MAS side of things?

Switch:

crypto-local ipsec-map <name> <priority>
     src-net <ipaddr-Net-A> <mask>                 <-- IP address of vlan 1 on MAS
     dst-net <ipaddr-Net-B> <mask>                 <-- controller-side PTP IP
     peer-ip <ipaddr-Peer-Gateway-B1>           <-- Loopback IP address
     interface vlan <vlan-id>                              <-  Is this the PTP vlan?
     version v1
     pre-connect enable
     force-natt disable
!