Wireless Access

Reply
mkk
Contributor II

ArubaOS Mobility Master IPSEC over WAN to datacenter

Hi Airheads friends,

 

Far as i known a ArubaOS Mobility Master communicatie with the physical controllers based on IPSEC. We have to deploy a ArubaOS Mobility Master in a remote datacenter. At the office we have two physical Mobility Controllers.

 

Both location only have a WAN connection (there is no vpn between the datacenter and the remote office at this moment). 

 

Because the MM and MC communicatie IPSEC by themself it should be possible to communicatie over the internet WAN but we should make some nat rules on the firewalls.

 

Questions:

1. Is it ok to communicatie the IPSEC from the MM to the MC over the WAN? Probably the answer is yes.

 

2. Which is initiatie the IPSEC connection, the MM or the MC's?

Aruba Employee

Re: ArubaOS Mobility Master IPSEC over WAN to datacenter

1. Probably technically feasible. You might want to look into the VPNC/Branch use-case and use 2x controllers as MGMT-VPNCs in your DC. Essentially all your controllers out in the branches would terminate their IPSec on those VPNCs and connect through them to your Mobility Master. Benefit of this setup: you can also use the IPSec for user/data traffic and not only Control traffic to the MM.

 

2. Initiator is always the MC. You can check this out by looking at your IPSec SA on the MM:

show crypto ipsec sa


IPSEC SA (V2) Active Session Information
-----------------------------------
Initiator IP                              Responder IP                              SPI(IN/OUT)        Flags Start Time        Inner IP
------------                              ------------                              ----------------   ----- ---------------   --------
192.168.65.98                             192.168.65.95                             cff64800/f2fb4d00  UT2   Jun 15 13:48:52     -
192.168.65.99                             192.168.65.95                             50f17500/2207c200  UT2   Jun 15 13:59:51     -
mkk
Contributor II

Re: ArubaOS Mobility Master IPSEC over WAN to datacenter

Hi Owehrli,

 

Thanks for your explanation, is very appreciated.

 

The MC user/data traffic is only needed local in the branche offices, only management traffic is go the DC vMM.

 

  • In the MC on the branche office i like to configure the WAN IP of the datacenter.
  • In the MM on the datacenter i like to configure the WAN IP of the branche office.

Because the IPSEC is initiate on the MC i have to configure a destination-nat to the MM on the firewall in the datacenter. see attachement for graphical explanation :)

 

We do not intend to place extra MC in the datacenter.

 

Are iam correct ? Should be work right ?

 

 

 

 

Aruba Employee

Re: ArubaOS Mobility Master IPSEC over WAN to datacenter

I don't see any reason why not. Should be working as long as you make the internal MM IP accessible for your MC from wherever they connect to the internet to initiate the IPSec connection.

Aruba Employee

Re: ArubaOS Mobility Master IPSEC over WAN to datacenter

Please share your experiences once you implemented this, might be interesting for others as well!

mkk
Contributor II

Re: ArubaOS Mobility Master IPSEC over WAN to datacenter

 
Of course I wanted to share my experience but i was a bit busy last days.

We now have the Mobility Master in the remote data center and have configured the IPSEC tunnel as 0.0.0.0 IP.

The onsite Mobility Controller connects over the internet to the datacenter. In the IPSEC configuration, the external WAN IP of the datacenter has been entered as IPSEC ip.

Only on the side of the datacenter a destination NAT has been created on the firewall so that it can be transported from the outside in the right way.

Works as conceived without problems.

Thanks for your help!
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: