Wireless Access

Reply
Occasional Contributor I
Posts: 5
Registered: ‎10-06-2016

APs Creating IPSEC Tunnel for Data Plane Traffic

We have several Aruba 125 APs deployed that connect back to a Mobility Controller.  We have noticed that all of the AP create an IPSEC tunnel back to the controller and send all data over that tunnel.  All of our locations are either on a site-to-site VPN connection or MPLS connection back to our datacenter and we don't need to encrypt the traffic from the AP to the controller.  I have looked for hours and can't find wher I can just make the APs act as normal APs and not encrypt the data.  Can anyone lead me in the right direction?  I'm new to Aruba and thanks in advance for any help.

Guru Elite
Posts: 8,340
Registered: ‎09-08-2010

Re: APs Creating IPSEC Tunnel for Data Plane Traffic

They're likely deployed as remote APs instead of campus APs. You can either
reprovision them as campus APs or potentially move to the decrypt-tunnel
forwarding mode.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I
Posts: 5
Registered: ‎10-06-2016

Re: APs Creating IPSEC Tunnel for Data Plane Traffic

I'm extreamly new to Aruba. Where could I find more information as to how to reprovision them or move them to the decrypt-tunnel
forwarding mode?

Guru Elite
Posts: 8,340
Registered: ‎09-08-2010

Re: APs Creating IPSEC Tunnel for Data Plane Traffic

Do you have an Aruba partner you work with? There are a few considerations
before doing this and we're not familiar with your network.

Tim Cappalli | Aruba Security TME
@timcappalli | timcappalli.me | ACMX #367 / ACCX #480
Occasional Contributor I
Posts: 5
Registered: ‎10-06-2016

Re: APs Creating IPSEC Tunnel for Data Plane Traffic

Unfortunately no. We inherited these via an acquisition.  The driver for this is that we have WAN accelerators in line and we can’t optimize the wireless traffic going over the WAN because it’s encrypted. 

Guru Elite
Posts: 20,821
Registered: ‎03-29-2007

Re: APs Creating IPSEC Tunnel for Data Plane Traffic

Unless your wan accelerator can deencapsulate GRE traffic, you will have the same issue if you change it to a campus AP.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 5
Registered: ‎10-06-2016

Re: APs Creating IPSEC Tunnel for Data Plane Traffic

Is ther a way to make them bridge traffic and not tunnel through the controller?

Guru Elite
Posts: 20,821
Registered: ‎03-29-2007

Re: APs Creating IPSEC Tunnel for Data Plane Traffic

Yes, but there are a few factors you need to be aware of

- bridging is not available for captive portal SSIDs
- Users will typically be placed on the se subnet as the access points. If you need to have them on a different subnet you will need to configure a trunk on the access points' switch port.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Occasional Contributor I
Posts: 5
Registered: ‎10-06-2016

Re: APs Creating IPSEC Tunnel for Data Plane Traffic

That's not an issue as we have a flat VLAN at these locations and don't use captive portal.  Can you point me in the right direction as to where I can find information as to how to configure them as a bridge? 

Guru Elite
Posts: 20,821
Registered: ‎03-29-2007

Re: APs Creating IPSEC Tunnel for Data Plane Traffic

In the virtual ap profile for that WLAN, you need to set the forwarding mode to bridged. You also need to set the default AP VLAN in the ap system profile to the same VLAN as in the virtual ap profile so that it does not tag the traffic.


Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Search Airheads
Showing results for 
Search instead for 
Did you mean: