Wired Networks

How to Configure IPSec Static route on MAS?

Aruba Employee
  1. Static IP routes can be added to a Site-Site IPSec-map to route other networks through an IPSEC tunnel.
  2. Static route to ipsec map can be configured before or after crypto map

 

  • When a static route is added to ipsec-map, if tunnel is NOT up, no route will be installed in routing table
  • If the tunnel is up, then the route pointing to gateway is added into the routing table
  • Redundancy is provided for IP routes by assigning costs

Note: For VPN static route redundancy, "pre-connect enable" is mandatory in  ipsec-map.

 

 

Environment : In a typical environment if we need to configure IPSec static route between MAS to controller or MAS-MAS to MAS to any other third party device.

 

Network Topology :

 

rtaImage.jpg

 

Configuration for S3500-J21-Stacking
 
crypto-local ipsec-map s2s-pki 1
  version v2
  peer-ip 42.1.1.1
  peer-cert-dn "/CN=dot1xclientcert2048-1"
  interface vlan 42
  src-net 4.1.1.0 255.255.255.0
  dst-net 2.1.1.0 255.255.255.0
  set transform-set "default-transform" 
  set security-association lifetime seconds 3600
  set pfs group2
  pre-connect enable
  force-natt disable
  set ca-certificate RootCert
  set server-certificate servercert-2048
!
Ip-profile
  route 3.1.1.0 255.255.255.0 ipsec s2s-pki 1
  route 3.1.1.0 255.255.255.0 ipsec tn-vpn 2

Configuration for AS 3500-j25 at the remote end
 
crypto-local ipsec-map s2s-pki 1
  version v2
  peer-ip 42.1.1.2
  peer-cert-dn "/CN=dot1xservercert2048-1"
  interface vlan 42
  src-net 2.1.1.0 255.255.255.0
  dst-net 4.1.1.0 255.255.255.0
  set transform-set "default-transform" 
  set security-association lifetime seconds 3600
  set pfs group2
  pre-connect disable
  force-natt disable
  set ca-certificate rootCert-1
  set server-certificate clientcert-2048
!

By doing above configuration IPSec Static route configuration is done on MAS.

 

 

Below are the commands to verify the same.   

(AS3500-Stack-T7021-J21) #show ip-profile                
(AS3500-Stack-T7021-J21) #show ip route 
(AS3500-Stack-T7021-J21) #show data path route   
(AS3500-Stack-T7021-J21) #show datapath route-cache

 

Below commands to help us to troubleshoot and verify the routes.

(AS3500-48T) # show ip-profile
ip-profile "default"
--------------------
Parameter            Value
---------            -----
Default Gateway      N/A
Import DHCP Gateway  Disabled
controller-ip        vlan4
route                2.1.1.0 255.255.255.0 42.1.1.1 0
route                3.1.1.0 255.255.255.0 ipsec s2s-pki 1
route                3.1.1.0 255.255.255.0 ipsec tn-vpn 2
(AS3500-48T) #show ip route 
Codes: C - connected
       O - OSPF, O(IA) - OSPF inter area
       O(E1) - OSPF external type 1, O(E2) - OSPF external type 2
       O(N1) - OSPF NSSA type 1, O(N2) - OSPF NSSA type 2
       M - mgmt, S - static, * - candidate default
       D - DHCP 
 
C        2.1.1.0  /24 [1] is an ipsec map: _s2s-pki
S        3.1.1.0  /24 [1] is an ipsec map: _s2s-pki
 
 
(AS3500-48T) #show datapath route
Route Table Entries
-------------------
Flags: L - Local, P - Permanent,  T - Tunnel, I - IPsec, M - Mobile, A - ARP, D - Drop
       IP             Mask           Gateway       Cost  VLAN  Flags
---------------  ---------------  ---------------  ----  ----  -----
2.1.1.0          255.255.255.0    2.1.1.1             0     1  TI   
3.1.1.0          255.255.255.0    2.1.1.1             0     0
 
(AS3500-48T) # show datapath route-cache 
Route Cache Entries
-------------------
Flags: L - local, P - Permanent,  T - Tunnel, I - IPsec, M - Mobile, A - ARP, D - Drop
R - Routed across vlan
       IP              MAC             VLAN      Flags
---------------  -----------------  -----------  -----
2.1.1.1          00:00:00:00:00:00  tunnel 5608  PT


Notes: 


Static IPSEC route has the same preference as other clear static routes.


For VPN static route redundancy, "pre-connect enable" is mandatory in ipsec-map.


1. Once the tunnel is down, and there is another Up route with the same dst, it will be removed from the routing table, WITHOUT pre-connect enabled, the traffic won't trigger the tunnel up. So it won’t be able to install back to routing table until the other same dst route are gone from the routing table.


2.For static routes, the one with the lower metric will be installed, no matter it is clear route or ipsec route.

Version history
Revision #:
1 of 1
Last update:
‎11-04-2014 01:52 PM
Updated by:
 
Labels (1)
Contributors
Tags (1)
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: 
Is this a frequent problem?

Request an official Aruba knowledge base article to be written by our experts.