Wireless Access

last person joined: 23 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Aruba Netgear VPN

This thread has been viewed 0 times

  • 1.  Aruba Netgear VPN

    Posted Jan 10, 2013 01:08 PM

    I posting this a bit early as I don't quite have all the information yet but thought I'd put it out there anyway and see if anyone has done this.

     

    I have a client that wants to connect some Netgear VPN boxes to his corporate Aruba controller and use them for his branch offices.

     

    Client already has VIA running and working great. So getting an outside IP address to the controller and other basic vpn config on the controller has been done.

     

    I'm assuming here that the netgears are going to want to do some type of PPTP but not having the model number or any information on them yet I'm only guessing at this point. (Meeting client later today).

     

    I've skimmed over chap 17 of the Aruba 6.1 user guide and looks like we should be able to figure something out. But having never done this before I thought I'd see if you guys had any words of wisdom or comments that might make life a little easier on me.

     

    Thanks !!!

     



  • 2.  RE: Aruba Netgear VPN

    Posted Jan 10, 2013 01:10 PM

    The 3 netgear boxes are Netgear fvs318 v3 fvs338 and fvs318g



  • 3.  RE: Aruba Netgear VPN

    Posted Jan 10, 2013 04:27 PM

    Ok so we hooked it up and it looks like we are close but I keep getting an error.... see output below.

     

    (Aruba3600) (config) #show log security 100 | include ike
    Jan 10 16:03:42 :103063:  <DBUG> |ike|  192.168.168.32:4500-> IKE_addIPsecKey spi:64d60d00  opp-spi:f304c700   src:192.168.168.254   dst:192.168.168.32    initiator:NO   out:1
    Jan 10 16:03:42 :103063:  <DBUG> |ike|  192.168.168.32:4500-> IPSEC_keyAddEx spdid:0
    Jan 10 16:03:42 :103063:  <DBUG> |ike|  192.168.168.32:4500-> IPSEC_newSa pxSaTmp-flags 1001 Dst-IP-Port:192.168.168.32:4500 status:-8814
    Jan 10 16:03:42 :103063:  <DBUG> |ike|  192.168.168.32:4500-> IPSEC_newSa: found older SA
    Jan 10 16:03:42 :103063:  <DBUG> |ike|  192.168.168.32:4500-> IPSEC_delSa SADB Proto:50 SPI:fc00d200 OppSPI:bf04a100 Dst:192.168.168.32 Src:192.168.168.254  natt:4500 Dport:0 Sport:0 Oprot:0 Mode:2 DstIP:192.168.168.32 DstIPe:192.168.168.32 SrcIP:0.0.0.0 SrcIPe
    Jan 10 16:03:42 :103063:  <DBUG> |ike|  192.168.168.32:4500-> arubaIPSecSetKeys:IPSECKEY proto:50 ospi:fc00d200 ispi:bf04a100 auth:2 len:20 enc:4 len:32 add:0 out:1
    Jan 10 16:03:42 :103063:  <DBUG> |ike|  192.168.168.32:4500-> ipc_mocana_setup_ipsec_dp_sa sa src=192.168.168.254:4500,dst=192.168.168.32:4500,srcnet:0.0.0.0/0.0.0.0 dstnet:192.168.168.32/255.255.255.255
    Jan 10 16:03:42 :103063:  <DBUG> |ike|  192.168.168.32:4500-> ipc_mocana_setup_ipsec_dp_sa innerip:192.168.168.32
    Jan 10 16:03:42 :103063:  <DBUG> |ike|  192.168.168.32:4500-> ipc_mocana_setup_ipsec_dp_sa: out:1 natt:1 mode:1 proto:1 cipher:4 auth:2 spi:fc00d200 oppspi:bf04a100 esrc:c0a8a8fe edst:c0a8a820 dstnet:c0a8a820 dstmask:ffffffff nattport:4500 trust:0 dpd:0
    Jan 10 16:03:42 :103063:  <DBUG> |ike|  192.168.168.32:4500->  Setup the IPSEC SA --- DONE  !!
    Jan 10 16:03:42 :103063:  <DBUG> |ike|  192.168.168.32:4500-> ipc_mocana_setup_ipsec_dp_sa sa src=192.168.168.254:4500,dst=192.168.168.32:4500,srcnet:192.168.168.32/255.255.255.255 dstnet:0.0.0.0/0.0.0.0
    Jan 10 16:03:42 :103063:  <DBUG> |ike|  192.168.168.32:4500-> ipc_mocana_setup_ipsec_dp_sa innerip:192.168.168.32
    Jan 10 16:03:42 :103063:  <DBUG> |ike|  192.168.168.32:4500-> ipc_mocana_setup_ipsec_dp_sa: out:0 natt:1 mode:1 proto:1 cipher:4 auth:2 spi:bf04a100 oppspi:fc00d200 esrc:c0a8a820 edst:c0a8a8fe dstnet:0 dstmask:0 nattport:4500 trust:0 dpd:0
    Jan 10 16:03:42 :103063:  <DBUG> |ike|  192.168.168.32:4500->  Setup the IPSEC SA --- DONE  !!
    Jan 10 16:03:42 :103063:  <DBUG> |ike|  192.168.168.32:4500-> IPSEC_newSa Added outbound-hash for pxSa 0x102c3c34 IP:192.168.168.32 status:0 inbound:0  hash:2361489640
    Jan 10 16:03:42 :103063:  <DBUG> |ike|  192.168.168.32:4500-> IPSEC_newSa SADB:0x102c3c34 Proto:50 SPI:64d60d00 OppSPI:f304c700 Dst:192.168.168.32 Src:192.168.168.254  natt:4500 Dport:0 Sport:0 Oprot:0 Mode:2 DstIP:192.168.168.32 DstIPe:192.168.168.32 SrcIP:0.0
    Jan 10 16:03:42 :103076:  <INFO> |ike|  IKEv2 IPSEC Tunnel created for peer 192.168.168.32:4500
    Jan 10 16:03:42 :103063:  <DBUG> |ike|  192.168.168.32:4500-> arubaIPSecSetKeys:IPSECKEY proto:50 ospi:64d60d00 ispi:f304c700 auth:2 len:20 enc:4 len:32 add:1 out:1
    Jan 10 16:03:42 :103063:  <DBUG> |ike|  192.168.168.32:4500-> ipc_mocana_setup_ipsec_dp_sa sa src=192.168.168.254:4500,dst=192.168.168.32:4500,srcnet:0.0.0.0/0.0.0.0 dstnet:192.168.168.32/255.255.255.255
    Jan 10 16:03:42 :103063:  <DBUG> |ike|  192.168.168.32:4500-> ipc_mocana_setup_ipsec_dp_sa innerip:192.168.168.32
    Jan 10 16:03:42 :103063:  <DBUG> |ike|  192.168.168.32:4500-> ipc_mocana_setup_ipsec_dp_sa: out:1 natt:1 mode:1 proto:1 cipher:4 auth:2 spi:64d60d00 oppspi:f304c700 esrc:c0a8a8fe edst:c0a8a820 dstnet:c0a8a820 dstmask:ffffffff nattport:4500 trust:0 dpd:0
    Jan 10 16:03:42 :103063:  <DBUG> |ike|  192.168.168.32:4500->  Setup the IPSEC SA --- DONE  !!
    Jan 10 16:03:42 :103063:  <DBUG> |ike|  192.168.168.32:4500-> ipc_mocana_setup_ipsec_dp_sa sa src=192.168.168.254:4500,dst=192.168.168.32:4500,srcnet:192.168.168.32/255.255.255.255 dstnet:0.0.0.0/0.0.0.0
    Jan 10 16:03:42 :103063:  <DBUG> |ike|  192.168.168.32:4500-> ipc_mocana_setup_ipsec_dp_sa innerip:192.168.168.32
    Jan 10 16:03:42 :103063:  <DBUG> |ike|  192.168.168.32:4500-> ipc_mocana_setup_ipsec_dp_sa: out:0 natt:1 mode:1 proto:1 cipher:4 auth:2 spi:f304c700 oppspi:64d60d00 esrc:c0a8a820 edst:c0a8a8fe dstnet:0 dstmask:0 nattport:4500 trust:0 dpd:0
    Jan 10 16:03:42 :103063:  <DBUG> |ike|  192.168.168.32:4500->  Setup the IPSEC SA --- DONE  !!
    Jan 10 16:03:42 :103063:  <DBUG> |ike|  192.168.168.32:4500->   encr=aes  ESP spi=64d60d00 192.168.168.32 << 192.168.168.254 udp-enc*  spd=0(0) exp=7200 secs
    Jan 10 16:03:42 :103078:  <INFO> |ike|  IKEv2 CHILD_SA successful for peer 192.168.168.32:4500
    Jan 10 16:03:42 :103063:  <DBUG> |ike|  192.168.168.32:4500->   CHILD_SA [v2 R
    Jan 10 16:03:42 :103063:  <DBUG> |ike|  192.168.168.32:4500-> udp_encap_handle_message IKEv2 pkt status:0
    Jan 10 16:03:47 :103063:  <DBUG> |ike|   IKE2_updateSadb Permanently Deleting IKE_SA
    Jan 10 16:03:47 :103063:  <DBUG> |ike|   IKE2_delSa error:0 saflags:20100109 arflags:5
    Jan 10 16:03:47 :103063:  <DBUG> |ike|   IKE2_delSa
    Jan 10 16:03:47 :103063:  <DBUG> |ike|     IKE_SA        (id=0xe50d7108) deleted
    Jan 10 16:03:47 :103063:  <DBUG> |ike|   , status = -8972
    Jan 10 16:03:47 :103063:  <DBUG> |ike|   IKE2_delSa
    Jan 10 16:04:02 :103063:  <DBUG> |ike|  209.255.10.251:500-> message_recv: invalid cookie(s) cdc412f883afb873 2b8947529d14b67c
    Jan 10 16:04:02 :103060:  <DBUG> |ike|  209.255.10.251:500-> message.c:message_drop:2833 Message drop from 209.255.10.251 port 500 due to notification type INVALID_COOKIE
    Jan 10 16:04:04 :103063:  <DBUG> |ike|  209.255.10.251:500-> exchange_setup_p1: ID is IPv4
    Jan 10 16:04:04 :103063:  <DBUG> |ike|  209.255.10.251:500-> exchange_setup_p1: expected exchange type ID_PROT got AGGRESSIVE
    Jan 10 16:04:04 :103063:  <DBUG> |ike|  209.255.10.251:500-> exchange_setup_p1: USING exchange type AGGRESSIVE
    Jan 10 16:04:04 :103063:  <DBUG> |ike|  209.255.10.251:500-> New(2) AGGRESSIVE Exchange ic 36503aa1b52fd8e7 rc 5d123b350eef205c
    Jan 10 16:04:04 :103060:  <DBUG> |ike|  209.255.10.251:500-> ike_phase_1.c:ike_phase_1_responder_recv_SA:850 Recvd VPN IKE Phase 1 SA transform negotiation (1st packet) from IP 209.255.10.251.
    Jan 10 16:04:04 :103060:  <DBUG> |ike|  209.255.10.251:500-> ike_phase_1.c:attribute_unacceptable:2730 Proposal match failed in group desc, configured=MODP_768, peer using=MODP_1024
    Jan 10 16:04:04 :103060:  <DBUG> |ike|  209.255.10.251:500-> ike_phase_1.c:attribute_unacceptable:2689 Proposal match failed in encryption algo, configured=AES_CBC, peer using=3DES_CBC
    Jan 10 16:04:04 :103063:  <DBUG> |ike|  209.255.10.251:500-> group_get entered id:2
    Jan 10 16:04:04 :103063:  <DBUG> |ike|  209.255.10.251:500-> group_get ike_group:0x10000178
    Jan 10 16:04:04 :103063:  <DBUG> |ike|  209.255.10.251:500-> modp_init entered
    Jan 10 16:04:04 :103063:  <DBUG> |ike|  209.255.10.251:500-> group_get group:0x10469774
    Jan 10 16:04:04 :103060:  <DBUG> |ike|  209.255.10.251:500-> ike_phase_1.c:ike_phase_1_responder_recv_SA:1000 Ike Phase 1 received SA
    Jan 10 16:04:04 :103060:  <DBUG> |ike|  209.255.10.251:500-> ike_phase_1.c:ike_phase_1_recv_ID:2097 received IKE ID Type 1 exchange:209.255.10.251
    Jan 10 16:04:04 :103063:  <DBUG> |ike|  209.255.10.251:500-> ike_phase_1_responder_send_SA_NAT_T Accepted 1 of the Proposals, sending Response for exchange:209.255.10.251
    Jan 10 16:04:04 :103063:  <DBUG> |ike|  209.255.10.251:500-> ike_phase_1_send_KE_NONCE 209.255.10.251
    Jan 10 16:04:04 :103063:  <DBUG> |ike|  209.255.10.251:500-> ike_auth_get_key: Ike type 1
    Jan 10 16:04:04 :103063:  <DBUG> |ike|  209.255.10.251:500-> GetFirstMatchIsakmpPSK: entering
    Jan 10 16:04:04 :103063:  <DBUG> |ike|  209.255.10.251:500-> mask FFFFFFFF, ip D1FF0AFB, key_ip D1FF0AFA
    Jan 10 16:04:04 :103063:  <DBUG> |ike|  209.255.10.251:500-> mask FFFFFFFF, ip D1FF0AFB, key_ip D1FF0AFB
    Jan 10 16:04:04 :103060:  <DBUG> |ike|  209.255.10.251:500-> ike_auth.c:ike_auth_get_key:593  Found isakmp policy for peer 209.255.10.251 client:yes
    Jan 10 16:04:04 :103063:  <DBUG> |ike|  209.255.10.251:500-> ike_phase_1_post_exchange_KE_NONCE IV len:8
    Jan 10 16:04:04 :103063:  <DBUG> |ike|  209.255.10.251:500-> ike_phase_1_post_exchange_KE_NONCE done 209.255.10.251 g_x_len:128 skeyid_len:20
    Jan 10 16:04:04 :103063:  <DBUG> |ike|  209.255.10.251:500-> ike_phase_1_send_ID 209.255.10.251
    Jan 10 16:04:04 :103063:  <DBUG> |ike|  209.255.10.251:500-> ike_auth_hash
    Jan 10 16:04:04 :103063:  <DBUG> |ike|  209.255.10.251:500-> ike_phase_1_send_AUTH
    Jan 10 16:04:06 :103062:  <INFO> |ike|  209.255.10.251:500-> IKE Aggressive Mode Phase 1 succeeded for peer 209.255.10.251
    Jan 10 16:04:06 :103063:  <DBUG> |ike|  209.255.10.251:500-> ->Delete AGGRESSIVE Exchange ic 36503aa1b52fd8e7 rc 5d123b350eef205c
    Jan 10 16:04:06 :103063:  <DBUG> |ike|  209.255.10.251:500-> modp_free entered
    Jan 10 16:04:06 :103060:  <DBUG> |ike|  209.255.10.251:500-> message.c:message_validate_hash:881 DELETE notification received with proper hash
    Jan 10 16:04:06 :103060:  <DBUG> |ike|  209.255.10.251:500-> ipsec.c:ipsec_delete_spi_list:1699 DELETE made us delete Phase-2 SA 0x1054a464 (1 references) for proto 3 Peer:209.255.10.251
    Jan 10 16:04:06 :103063:  <DBUG> |ike|  209.255.10.251:500-> sa_release: decrement limit 0
    Jan 10 16:04:06 :103063:  <DBUG> |ike|  209.255.10.251:500-> ipsec_sa 0x1049cb1c, proto 0x10461914
    Jan 10 16:04:06 :103063:  <DBUG> |ike|  209.255.10.251:500-> ipc_setup_ipsec_dp_sa add=0, out=1, sa=0x1054a464, proto=0x10461914
    Jan 10 16:04:06 :103063:  <DBUG> |ike|  209.255.10.251:500-> ipc_setup_ipsec_dp_sa sa src=0x0a010132, dst=0xd1ff0afb
    Jan 10 16:04:06 :103060:  <DBUG> |ike|  209.255.10.251:500-> ipc.c:ipc_print_dp_packet:2610 DP: :TUNNEL::SA_DEL::L2TP: OFF::outgoing::ESP::3DES or DES::Auth = SHA1:, SPI DD7D6BDE, esrc A010132, edst_ip D1FF0AFB, dst_ip 0, natt 0, natt_dport 0, l2tp_tunid 0, l2tp_sessid 0, l2tp_hello 0
    Jan 10 16:04:06 :103060:  <DBUG> |ike|  209.255.10.251:500-> ipc.c:ipc_modify_sb_data&colon;2016 IPSEC  dst_ip=0.0.0.0, dst_mask 0.0.0.0 inner_ip 0.0.0.0 client:yestrusted:no, Master-Local:no
    Jan 10 16:04:06 :103063:  <DBUG> |ike|  209.255.10.251:500->  Setup the outgoing IPSEC SA --- DONE  !!
    Jan 10 16:04:06 :103063:  <DBUG> |ike|  209.255.10.251:500-> ipc_setup_ipsec_dp_sa add=0, out=0, sa=0x1054a464, proto=0x10461914
    Jan 10 16:04:06 :103063:  <DBUG> |ike|  209.255.10.251:500-> ipc_setup_ipsec_dp_sa sa src=0x0a010132, dst=0xd1ff0afb
    Jan 10 16:04:06 :103060:  <DBUG> |ike|  209.255.10.251:500-> ipc.c:ipc_print_dp_packet:2610 DP: :TUNNEL::SA_DEL::L2TP: OFF::incoming::ESP::3DES or DES::Auth = SHA1:, SPI 3F4C0B00, esrc D1FF0AFB, edst_ip A010132, dst_ip 0, natt 0, natt_dport 0, l2tp_tunid 0, l2tp_sessid 0, l2tp_hello 0
    Jan 10 16:04:06 :103063:  <DBUG> |ike|  209.255.10.251:500->  Setup the incoming IPSEC SA --- DONE  !!
    Jan 10 16:04:06 :103063:  <DBUG> |ike|  209.255.10.251:500-> ->Delete INFO Exchange ic 36503aa1b52fd8e7 rc 5d123b350eef205c
    Jan 10 16:04:07 :103060:  <DBUG> |ike|  209.255.10.251:500-> sa.c:ike_sa_setup_ph2complete_timer:2860 SA 0x10549374 ph2-completion timeout in 30 seconds
    Jan 10 16:04:07 :103063:  <DBUG> |ike|  209.255.10.251:500-> ike_phase_2_validate_prop_for_client dyn-map default-dynamicmap
    Jan 10 16:04:07 :103063:  <DBUG> |ike|  209.255.10.251:500-> ike_phase_2_validate_prop_for_client map default-dynamicmap  v:1
    Jan 10 16:04:07 :103060:  <DBUG> |ike|  209.255.10.251:500-> ike_quick_mode.c:responder_recv_HASH_SA_NONCE:2589 message negotiation succeeded
    Jan 10 16:04:07 :103063:  <DBUG> |ike|  209.255.10.251:500-> post_quick_mode keymat:0 len:44
    Jan 10 16:04:07 :103063:  <DBUG> |ike|  209.255.10.251:500-> post_quick_mode keymat:1 len:44
    Jan 10 16:04:07 :103022:  <INFO> |ike|  IKE Quick Mode succeeded for peer 209.255.10.251
    Jan 10 16:04:07 :103034:  <INFO> |ike|  IKE Quick Mode succeeded from client  external 209.255.10.251
    Jan 10 16:04:07 :103063:  <DBUG> |ike|  209.255.10.251:500-> ipsec_finalize_exchange: src_net 10.1.1.50 src_mask 255.255.255.255 dst_net 192.168.233.1 dst_mask 255.255.255.0 tproto 0 sport 0 dport 0
    Jan 10 16:04:07 :103063:  <DBUG> |ike|  209.255.10.251:500-> ipsec_sa 0x1046bc4c, proto 0x10461914

     

    To me it looks like we are good right up to this point................


    Jan 10 16:04:07 :103043:  <ERRS> |ike|  IPSEC tunnel mode with bad inner 0.0.0.0, cannot add IPSEC SA to datapath
    Jan 10 16:04:07 :103060:  <DBUG> |ike|  209.255.10.251:500-> pf_key_v2.c:pf_key_v2_enable_sa:551 error calling ipc_modify_sb_data transport entry
    Jan 10 16:04:07 :103052:  <ERRS> |ike| Failed to enable IPSec SA
    Jan 10 16:04:07 :103063:  <DBUG> |ike|  209.255.10.251:500-> ->Delete DOI_MIN Exchange ic 36503aa1b52fd8e7 rc 5d123b350eef205c
    Jan 10 16:04:12 :103063:  <DBUG> |ike|  209.255.10.251:500-> message_parse_payloads: invalid next payload type <Unknown 67> in payload of type 8
    Jan 10 16:04:12 :103060:  <DBUG> |ike|  209.255.10.251:500-> message.c:message_drop:2833 Message drop from 209.255.10.251 port 500 due to notification type INVALID_PAYLOAD_TYPE
    Jan 10 16:04:17 :103063:  <DBUG> |ike|  209.255.10.251:500-> message_parse_payloads: invalid next payload type <Unknown 67> in payload of type 8
    Jan 10 16:04:17 :103060:  <DBUG> |ike|  209.255.10.251:500-> message.c:message_drop:2833 Message drop from 209.255.10.251 port 500 due to notification type INVALID_PAYLOAD_TYPE
    Jan 10 16:04:22 :103063:  <DBUG> |ike|  209.255.10.251:500-> message_parse_payloads: invalid next payload type <Unknown 67> in payload of type 8
    Jan 10 16:04:22 :103060:  <DBUG> |ike|  209.255.10.251:500-> message.c:message_drop:2833 Message drop from 209.255.10.251 port 500 due to notification type INVALID_PAYLOAD_TYPE