I have a IAP-315 that is managed though Central and trying to create a L2 GRE tunnel to a Aruba 7005 controller, to tunnel a Guest network to the remote AP.
I want to continue using Central to manage the APs and only use the controller to terminate GRE tunnels from remote IAP clusters.
Currently in my lab I only have this single IAP and a controller:
IAP IP: 192.168.100.111/23
IAP VC IP: 192.168.101.250/23
Controller IP: 192.168.52.251
Routing between AP and Controller is though a Palo Alto firewall that is allowing GRE and UDP/4500 bidirectionally, and I don't see anything blocked.
I've successfully managed to configure a Manual GRE tunnel to achieve what I want, but I'm now trying to get ArubaGRE/Automatic GRE working but not beeing very successful.
On the controller I've configured:
interface gigabitethernet 0/0/1
description "GuestWiFi"
trusted
trusted vlan 1-4094
switchport access vlan 114
whitelist-db rap add mac-address 34:fc:b9:c6:6a:22 ap-group default
iap trusted-branch-db allow-all
ip local pool "rapng" 172.16.1.100 172.16.1.200
Licenses:
Access Points: 1
Next Generation Policy Enforcement Firewall Module: 1
Controller Version: 6.4.3.8
IAP Version: 6.5.1.0-4.3.1.1
(ArubaCTL) #show user
Users
-----
IP MAC Name Role Age(d:h:m) Auth VPN link AP name Roaming Essid/Bssid/Phy Profile Forward mode Type Host Name
---------- ------------ ------ ---- ---------- ---- -------- ------- ------- --------------- ------- ------------ ---- ---------
192.168.100.111 00:00:00:00:00:00 logon 00:01:49 VPN N/A tunnel
172.16.1.107 00:00:00:00:00:00 34:fc:b9:c6:6a:22 default-vpn-role 00:00:00 VPN 192.168.100.111 N/A default-iap tunnel
User Entries: 2/2
Curr/**bleep** Alloc:2/211 Free:0/209 Dyn:2 AllocErr:0 FreeErr:0
(ArubaCTL) #show iap table
Trusted Branch Validation: Disabled
IAP Branch Table
----------------
Name VC MAC Address Status Inner IP Assigned Subnet Assigned Vlan
---- -------------- ------ -------- --------------- -------------
Total No of UP Branches : 0
Total No of DOWN Branches : 0
Total No of Branches : 0
(ArubaCTL) #show packet-capture controlpath-pcap
14:14:30.685389 IP 192.168.100.111.64604 > 192.168.52.251.4500: NONESP-encap: isakmp: parent_sa ikev2_init[I]
14:14:30.685670 IP 192.168.52.251.4500 > 192.168.100.111.64604: NONESP-encap: isakmp: parent_sa ikev2_init[R]
14:14:30.687886 IP 192.168.100.111.64604 > 192.168.52.251.4500: NONESP-encap: isakmp: parent_sa ikev2_init[I]
14:14:30.689738 IP 192.168.52.251.4500 > 192.168.100.111.64604: NONESP-encap: isakmp: parent_sa ikev2_init[R]
14:14:31.155025 IP 192.168.100.111.64604 > 192.168.52.251.4500: NONESP-encap: isakmp: child_sa ikev2_auth[I]
14:14:31.155122 IP 192.168.100.111.64604 > 192.168.52.251.4500: NONESP-encap: isakmp: child_sa ikev2_auth[I]
14:14:31.155175 IP 192.168.100.111.64604 > 192.168.52.251.4500: NONESP-encap: isakmp: child_sa ikev2_auth[I]
14:14:31.155227 IP 192.168.100.111.64604 > 192.168.52.251.4500: NONESP-encap: isakmp: child_sa ikev2_auth[I]
14:14:31.155281 IP 192.168.100.111.64604 > 192.168.52.251.4500: NONESP-encap: isakmp: child_sa ikev2_auth[I]
(ArubaCTL) #show log security 50 | include INFO
Apr 3 15:47:35 :124003: <INFO> |authmgr| Authentication result=Authentication Successful(0), method=VPN, server=Internal, user=34:fc:b9:c6:6a:22
Apr 3 06:47:35 :103082: <INFO> |ike| IKEv2 Client-Authentication succeeded for 172.16.1.108 (External 192.168.100.111) for default-vpn-role
Apr 3 06:47:35 :103077: <INFO> |ike| IKEv2 IKE_SA succeeded for peer 192.168.100.111:53201
Apr 3 06:47:35 :103076: <INFO> |ike| IKEv2 IPSEC Tunnel created for peer 192.168.100.111:53201
Apr 3 06:47:35 :103078: <INFO> |ike| IKEv2 CHILD_SA successful for peer 192.168.100.111:53201
Apr 3 06:48:06 :103101: <INFO> |ike| IPSEC SA deleted for peer 192.168.100.111
Apr 3 06:48:06 :103102: <INFO> |ike| IKE SA deleted for peer 192.168.100.111
Apr 3 15:48:06 :124038: <INFO> |authmgr| Reused server Internal for method=VPN; user=34:fc:b9:c6:6a:22, essid=<>, domain=<>, server-group=default
Apr 3 06:48:06 :133005: <INFO> |localdb| User 34:fc:b9:c6:6a:22 Successfully Authenticated
Apr 3 15:48:06 :124003: <INFO> |authmgr| Authentication result=Authentication Successful(0), method=VPN, server=Internal, user=34:fc:b9:c6:6a:22
Apr 3 06:48:06 :103082: <INFO> |ike| IKEv2 Client-Authentication succeeded for 172.16.1.109 (External 192.168.100.111) for default-vpn-role
Apr 3 06:48:06 :103077: <INFO> |ike| IKEv2 IKE_SA succeeded for peer 192.168.100.111:53203
Apr 3 06:48:06 :103076: <INFO> |ike| IKEv2 IPSEC Tunnel created for peer 192.168.100.111:53203
Apr 3 06:48:06 :103078: <INFO> |ike| IKEv2 CHILD_SA successful for peer 192.168.100.111:53203
Apr 3 06:48:36 :103101: <INFO> |ike| IPSEC SA deleted for peer 192.168.100.111
Apr 3 06:48:36 :103102: <INFO> |ike| IKE SA deleted for peer 192.168.100.111
Apr 3 15:48:36 :124038: <INFO> |authmgr| Reused server Internal for method=VPN; user=34:fc:b9:c6:6a:22, essid=<>, domain=<>, server-group=default
Apr 3 06:48:36 :133005: <INFO> |localdb| User 34:fc:b9:c6:6a:22 Successfully Authenticated
Apr 3 15:48:36 :124003: <INFO> |authmgr| Authentication result=Authentication Successful(0), method=VPN, server=Internal, user=34:fc:b9:c6:6a:22
Apr 3 06:48:36 :103082: <INFO> |ike| IKEv2 Client-Authentication succeeded for 172.16.1.110 (External 192.168.100.111) for default-vpn-role
Apr 3 06:48:36 :103077: <INFO> |ike| IKEv2 IKE_SA succeeded for peer 192.168.100.111:53205
Apr 3 06:48:36 :103076: <INFO> |ike| IKEv2 IPSEC Tunnel created for peer 192.168.100.111:53205
Apr 3 06:48:36 :103078: <INFO> |ike| IKEv2 CHILD_SA successful for peer 192.168.100.111:53205
Apr 3 06:49:06 :103101: <INFO> |ike| IPSEC SA deleted for peer 192.168.100.111
Apr 3 06:49:06 :103102: <INFO> |ike| IKE SA deleted for peer 192.168.100.111
From the IAP I never see the VPN getting established though:
34:fc:b9:c6:6a:22# show vpn status
profile name:default
--------------------------------------------------
current using tunnel :unselected tunnel
current tunnel using time :0
ipsec is preempt status :disable
ipsec is fast failover status :disable
ipsec hold on period :600s
ipsec tunnel monitor frequency (seconds/packet) :5
ipsec tunnel monitor timeout by lost packet cnt :6
ipsec primary tunnel crypto type :Cert
ipsec primary tunnel peer address :192.168.52.251
ipsec primary tunnel peer tunnel ip :0.0.0.0
ipsec primary tunnel ap tunnel ip :0.0.0.0
ipsec primary tunnel using interface :
ipsec primary tunnel using MTU :0
ipsec primary tunnel current sm status :Retrying
ipsec primary tunnel tunnel status :Down
ipsec primary tunnel tunnel retry times :101
ipsec primary tunnel tunnel uptime :0
ipsec backup tunnel crypto type :Cert
ipsec backup tunnel peer address :N/A
ipsec backup tunnel peer tunnel ip :N/A
ipsec backup tunnel ap tunnel ip :N/A
ipsec backup tunnel using interface :N/A
ipsec backup tunnel using MTU :N/A
ipsec backup tunnel current sm status :Init
ipsec backup tunnel tunnel status :Down
ipsec backup tunnel tunnel retry times :0
ipsec backup tunnel tunnel uptime :0
34:fc:b9:c6:6a:22# show log vpn-tunnel 30
2017-04-03 16:00:13 [primary tunnel] tunnel_start_up_timer(786): tunnel primary tunnel start up timer
2017-04-03 16:00:13 [primary tunnel] tunnel_stop_up_timer(651): stop up timer.
2017-04-03 16:00:14 [primary tunnel] cli_proc_rapper_msg(864): Receive rapper msg from 59168 port.
2017-04-03 16:00:14 [primary tunnel] Error!!!: Received RC_OPCODE_ERROR lms 192.168.52.251 tunnel 0.0.0.0 RC_ERROR_ISAKMP_N_RSA_DECRYPTION_FAILED
2017-04-03 16:00:14 tunnel_err_msg_recv 1624: Cause tunnel down by ipsec error, index primary tunnel
2017-04-03 16:00:43 [primary tunnel] tunnel_up_timeout(723): tunnel primary tunnel up timeout.
2017-04-03 16:00:43 [primary tunnel] tunnel_up_timeout(769): primary tunnel tunnel is not up by retry 105 times, the max retry times on one tunnel is 2. try itself
2017-04-03 16:00:43 [primary tunnel] State TUNNEL_STATE_RETRY Event TUNNEL_EVENT_TUNNEL_RETRY Next state TUNNEL_STATE_RETRY
2017-04-03 16:00:43 [primary tunnel] tunnel_retry(201): tunnel primary tunnel, type ipsec tunnel, peer public address 192.168.52.251
2017-04-03 16:00:43 [primary tunnel] tunnel_retry(222): setting up tunnel to primary tunnel, retry=106
2017-04-03 16:00:43 [primary tunnel] ipsec_tunnel_connect(1384): connect to primary tunnel, peer address 192.168.52.251.
2017-04-03 16:00:43 [primary tunnel] ipsec_tunnel_connect(1390): stop primary tunnel first before connect to it
2017-04-03 16:00:43 [primary tunnel] stop_rapper: client->pid=29638, tunnel public ip 0.0.0.0, peer tunnel ip 0.0.0.0, tunnel ip 0.0.0.0, port 8423
2017-04-03 16:00:43 [primary tunnel] stop_rapper(1324): Kill client->pid=29638.
2017-04-03 16:00:43 [primary tunnel] stop_rapper(1345): Waiting until the client 29638 is killed
2017-04-03 16:00:43 [primary tunnel] stop_rapper(1357): result of wait4 29638 for pid (client->pid) 29638
2017-04-03 16:00:43 [primary tunnel] ipsec_tunnel_connect(1410): primary tunnel, cli_local_ip 192.168.100.111 netmask 255.255.254.0
2017-04-03 16:00:43 addroute(490):Dst fb34a8c0 mask 0 gw fe64a8c0
2017-04-03 16:00:43 set_route_af: ioctl (SIOCADDRT) failed error no(17)
2017-04-03 16:00:43 [primary tunnel] ipsec_tunnel_connect(1431): add route table destination 192.168.52.251, gw 192.168.100.254, interface br0.
2017-04-03 16:00:43 [primary tunnel] Starting rapper with lifetime p1 = 28000 p2 = 7200
2017-04-03 16:00:43 [primary tunnel] Starting IAP rapper 0 to 192.168.52.251:8423 attmpt 0
2017-04-03 16:00:43 [primary tunnel] lauch rapper command: rapper -c 192.168.52.251 -b 1 -i br0 -x -G 0 -r 8423 -l 28000 -L 7200 -w 1 -o /tmp/rapper.txt
2017-04-03 16:00:43 [primary tunnel] Eth - Populate the PID 29936 in file /tmp/rapper_pid_1
2017-04-03 16:00:43 [primary tunnel] tunnel_retry(277): setting up tunnel to primary tunnel, success.
2017-04-03 16:00:43 [primary tunnel] tunnel_start_up_timer(786): tunnel primary tunnel start up timer
2017-04-03 16:00:43 [primary tunnel] tunnel_stop_up_timer(651): stop up timer.
2017-04-03 16:00:44 [primary tunnel] cli_proc_rapper_msg(864): Receive rapper msg from 59168 port.
2017-04-03 16:00:44 [primary tunnel] Error!!!: Received RC_OPCODE_ERROR lms 192.168.52.251 tunnel 0.0.0.0 RC_ERROR_ISAKMP_N_RSA_DECRYPTION_FAILED
2017-04-03 16:00:44 tunnel_err_msg_recv 1624: Cause tunnel down by ipsec error, index primary tunnel
34:fc:b9:c6:6a:22# show log rapper
Insert Timer type 1 Sec 70 uSec 0
Apr 03, 16:00:14: IKE2_msgRecv:1737 exit:
Apr 03, 16:00:14: IKE2_msgRecv:1406 original ike_context created
#RECV 900 bytes from 192.168.52.251[4500] (0.0)(pid:29638) time:2017-04-03 16:00:14
spi={d80a77acff556c34 3b0bcd03eaf5d009} np=FGMT
exchange=IKE_AUTH msgid=1 len=896
ike2.c (670): errorCode = ERR_FRAGMENTATION_REQUIRED
Apr 03, 16:00:14: IKE2_xchgIn:1148 bResponse=1 status=-90023
spi={d80a77acff556c34 3b0bcd03eaf5d009} np=FGMT
exchange=IKE_AUTH msgid=1 len=896
Apr 03, 16:00:14: IKE2_msgRecv:1737 exit:
Apr 03, 16:00:14: IKE2_msgRecv:1406 original ike_context created
#RECV 900 bytes from 192.168.52.251[4500] (0.0)(pid:29638) time:2017-04-03 16:00:14
spi={d80a77acff556c34 3b0bcd03eaf5d009} np=FGMT
exchange=IKE_AUTH msgid=1 len=896
ike2.c (670): errorCode = ERR_FRAGMENTATION_REQUIRED
Apr 03, 16:00:14: IKE2_xchgIn:1148 bResponse=1 status=-90023
spi={d80a77acff556c34 3b0bcd03eaf5d009} np=FGMT
exchange=IKE_AUTH msgid=1 len=896
Apr 03, 16:00:14: IKE2_msgRecv:1737 exit:
Apr 03, 16:00:14: IKE2_msgRecv:1406 original ike_context created
#RECV 900 bytes from 192.168.52.251[4500] (0.0)(pid:29638) time:2017-04-03 16:00:14
spi={d80a77acff556c34 3b0bcd03eaf5d009} np=FGMT
exchange=IKE_AUTH msgid=1 len=896
ike2.c (670): errorCode = ERR_FRAGMENTATION_REQUIRED
Apr 03, 16:00:14: IKE2_xchgIn:1148 bResponse=1 status=-90023
spi={d80a77acff556c34 3b0bcd03eaf5d009} np=FGMT
exchange=IKE_AUTH msgid=1 len=896
Apr 03, 16:00:14: IKE2_msgRecv:1737 exit:
Apr 03, 16:00:14: IKE2_msgRecv:1406 original ike_context created
#RECV 900 bytes from 192.168.52.251[4500] (0.0)(pid:29638) time:2017-04-03 16:00:14
spi={d80a77acff556c34 3b0bcd03eaf5d009} np=FGMT
exchange=IKE_AUTH msgid=1 len=896
ike2.c (670): errorCode = ERR_FRAGMENTATION_REQUIRED
Apr 03, 16:00:14: IKE2_xchgIn:1148 bResponse=1 status=-90023
spi={d80a77acff556c34 3b0bcd03eaf5d009} np=FGMT
exchange=IKE_AUTH msgid=1 len=896
Apr 03, 16:00:14: IKE2_msgRecv:1737 exit:
Apr 03, 16:00:14: IKE2_msgRecv:1406 original ike_context created
#RECV 900 bytes from 192.168.52.251[4500] (0.0)(pid:29638) time:2017-04-03 16:00:14
spi={d80a77acff556c34 3b0bcd03eaf5d009} np=FGMT
exchange=IKE_AUTH msgid=1 len=896
ike2.c (670): errorCode = ERR_FRAGMENTATION_REQUIRED
Apr 03, 16:00:14: IKE2_xchgIn:1148 bResponse=1 status=-90023
spi={d80a77acff556c34 3b0bcd03eaf5d009} np=FGMT
exchange=IKE_AUTH msgid=1 len=896
Apr 03, 16:00:14: IKE2_msgRecv:1737 exit:
Apr 03, 16:00:14: IKE2_msgRecv:1406 original ike_context created
#RECV 816 bytes from 192.168.52.251[4500] (0.0)(pid:29638) time:2017-04-03 16:00:14
spi={d80a77acff556c34 3b0bcd03eaf5d009} np=FGMT
exchange=IKE_AUTH msgid=1 len=812
ike2.c (670): errorCode = ERR_FRAGMENTATION_REQUIRED
Apr 03, 16:00:14: IKE2_xchgIn:1148 bResponse=1 status=-90023
spi={d80a77acff556c34 3b0bcd03eaf5d009} np=FGMT
exchange=IKE_AUTH msgid=1 len=812
Apr 03, 16:00:14: IKE2_fragRecv Rcvd all 7 fragments
Delete Timer Type 1
Apr 03, 16:00:14: IKE2_msgRecv:1406 original ike_context created
#RECV 5968 bytes from 192.168.52.251[4500] (0.0)(pid:29638) time:2017-04-03 16:00:14
spi={d80a77acff556c34 3b0bcd03eaf5d009} np=E{IDr}
exchange=IKE_AUTH msgid=1 len=5964
I <--
Apr 03, 16:00:14: InId: cert_DN in ID Payload:CN=CP0016110::00:0b:86:bf:77:70 wIdLen=54
Apr 03, 16:00:14: InId:6974 ERROR: failed to read /tmp/is_cert_rap
Apr 03, 16:00:14: |ocsp| check_rap = 0
Apr 03, 16:00:14: |ocsp| check_rap = 0
Apr 03, 16:00:14: |ocsp| check_rap = 0
Apr 03, 16:00:14: |ocsp| check_rap = 0
Apr 03, 16:00:14: sort_certificate_chain: Size of certificate chain to be sorted: 4
Apr 03, 16:00:14: sort_certificate_chain: Current cert index being considered: 0
Apr 03, 16:00:14: sort_certificate_chain: Cert at index 1 is an issuer cert for cert at index 0
Apr 03, 16:00:14: sort_certificate_chain: Current cert index being considered: 1
Apr 03, 16:00:14: sort_certificate_chain: Cert at index 0 is not an issuer cert for cert at index 1
Apr 03, 16:00:14: sort_certificate_chain: Cert at index 2 is an issuer cert for cert at index 1
Apr 03, 16:00:14: sort_certificate_chain: Current cert index being considered: 2
Apr 03, 16:00:14: sort_certificate_chain: Cert at index 0 is not an issuer cert for cert at index 2
Apr 03, 16:00:14: sort_certificate_chain: Cert at index 1 is not an issuer cert for cert at index 2
Apr 03, 16:00:14: sort_certificate_chain: Cert at index 3 is an issuer cert for cert at index 2
Apr 03, 16:00:14: sort_certificate_chain: Current cert index being considered: 3
Apr 03, 16:00:14: sort_certificate_chain: Cert at index 0 is not an issuer cert for cert at index 3
Apr 03, 16:00:14: sort_certificate_chain: Cert at index 1 is not an issuer cert for cert at index 3
Apr 03, 16:00:14: sort_certificate_chain: Cert at index 2 is not an issuer cert for cert at index 3
Apr 03, 16:00:14: sort_certificate_chain: Last cert has n parent in chain
Apr 03, 16:00:14: CERT_ComputeCertificateHash: status :0
Apr 03, 16:00:14: CERT_verifyRSACertSignature: comparison result 0
Apr 03, 16:00:14: CERT_ComputeCertificateHash: status :0
Apr 03, 16:00:14: CERT_verifyRSACertSignature: comparison result 0
Apr 03, 16:00:14: CERT_ComputeCertificateHash: status :0
Apr 03, 16:00:14: CERT_verifyRSACertSignature: comparison result 0
Apr 03, 16:00:14: IKE_certGetKey(peer:c0a834fb): isCSS:0 Check in ArubaTrustedCaCerts, numCaCerts:2
Apr 03, 16:00:14: IKE_certGetKey(): Cert trying ArubaTrustedCaCerts[0]
Apr 03, 16:00:14: IKE_certGetKey(): verify the validity
Apr 03, 16:00:14: IKE_certGetKey(): Cert trying ArubaTrustedCaCerts[1]
Apr 03, 16:00:14: IKE_certGetKey(): verify the validity
Apr 03, 16:00:14: CERT_ComputeCertificateHash: status :0
Apr 03, 16:00:14: CERT_verifyRSACertSignature: comparison result 0
Apr 03, 16:00:14: IKE_certGetKey(): iset the key value 0x1fdf6a4
ike2_state.c (5861): errorCode = ERR_RSA_DECRYPTION
Apr 03, 16:00:14: IKE_SAMPLE_ikeStatHdlr(CHILD_SA): dwPeerAddr:c0a834fb index:0 mPeerType:0
Apr 03, 16:00:14: IKE SA failed reason = ERR_RSA_DECRYPTION, errorcode = -7702 ikeVer 2
Apr 03, 16:00:14: send_sapd_error: InnerIP:0 error:50 debug_error:0
Apr 03, 16:00:14: send_sapd_error: error:50 debug_error:0
Apr 03, 16:00:14: rapper_log_error: buf = d8 0a 77 ac ff 55 6c 34 32
Apr 03, 16:00:14: |ocsp| IKE2_delSa: 1008
Apr 03, 16:00:14: IKE_SAMPLE_ikeStatHdlr(SA): dwPeerAddr:c0a834fb index:0 mPeerType:0
Apr 03, 16:00:14: IKE_SA [v2 I] (id=0x9bd8093a) flags 0x41000015 failed reason = ERR_RSA_DECRYPTION, errorcode = -7702
Apr 03, 16:00:14: IKE_SAMPLE_ikeStatHdlr(IST_FAIL): g_ikeversion:2
Apr 03, 16:00:14: |ocsp| IKE2_delSa: 1090
Apr 03, 16:00:14: |ocsp| ap_remove_certmgr_packet: start
Timer ID: 1 Deleted
Apr 03, 16:00:14: IKE2_xchgIn:1148 bResponse=1 status=-7702
Apr 03, 16:00:14: IKE2_msgRecv:1737 exit:
Apr 03, 16:00:14: |ocsp| cleanup_context_data:1984
Apr 03, 16:00:14: IKE2_msgRecv:1561 status=-7702
Apr 03, 16:00:14: IKE2_msgRecv:1737 exit:
Apr 03, 16:00:14: |ocsp| cleanup_context_data:1984
rapperSendStatusCB
Any suggestions on how to further troubleshoot the issue?