Wireless Access

Working on setting up my first Branch controller.  AOS 6.4.3.7 with the Zero touch configuration.  7210 at the hub to a 7010 at the branch.  I am using statically assigned subnets.  Using NAT-T I have it so the branch is getting the configuration of the master.  But I am unsure how to get the routing working.  I can not ping anythting other then controller management IP of the master from the branch.    Is NAT-T all I need or do I have to set up the VPN in the smart config with ISAKMP and ESP?  

From my corp network I have routing of the VLAN124, 125 working to the master 7210 controller.  How do I get thos routes to the branch and the branch to route everything 0.0.0.0 back to the master?

Smart config below.  

(FLRRG01-ArubaMRAP2) #show switches

All Switches
------------
IP Address Name Location Type Model Version Status Configuration State Config Sync Time (sec) Config ID
---------- ---- -------- ---- ----- ------- ------ ------------------- ---------------------- ---------
10.50.94.10 FLRRG01-ArubaMRAP2 Raleigh.NC master Aruba7210 6.4.3.7_53990 up UPDATE SUCCESSFUL 0 233
10.50.124.5 FLRZZ99-Aruba01 Building1.floor1 branch Aruba7010 6.4.3.7_53990 up UPDATE SUCCESSFUL 2 233

Total Switches:2

(FLRRG01-ArubaMRAP2) #
(FLRRG01-ArubaMRAP2) #
(FLRRG01-ArubaMRAP2) #
(FLRRG01-ArubaMRAP2) #show branch config name FLRZZ99-Aruba01

full-config-branch-config
controller-ip vlan 124
vlan 124
interface vlan 124
interface vlan 124 ip address 10.50.124.5 255.255.255.0
vlan 125
interface vlan 125
interface vlan 125 ip address 10.50.125.5 255.255.255.0
vlan 2199
interface vlan 2199
interface vlan 2199 ip address 10.50.126.5 255.255.255.0
service dhcp
ip dhcp excluded-address 10.50.124.1 10.50.124.16
ip dhcp excluded-address 10.50.124.250 10.50.124.254
ip dhcp pool ZZ99-BoC-Data-VLAN124
ip dhcp pool ZZ99-BoC-Data-VLAN124 default-router 10.x.x.x.
ip dhcp pool ZZ99-BoC-Data-VLAN124 dns-server 10.x.x.x
ip dhcp pool ZZ99-BoC-Data-VLAN124 domain-name domain.com
ip dhcp pool ZZ99-BoC-Data-VLAN124 network 10.50.124.0 255.255.255.0
ip dhcp excluded-address 10.50.125.1 10.50.125.16
ip dhcp excluded-address 10.50.125.250 10.50.125.254
ip dhcp pool ZZ99-BoC-Voice-VLAN125
ip dhcp pool ZZ99-BoC-Voice-VLAN125 default-router 10.x.x.x
ip dhcp pool ZZ99-BoC-Voice-VLAN125 dns-server 10.x.x.x.
ip dhcp pool ZZ99-BoC-Voice-VLAN125 domain-name doamin.com
ip dhcp pool ZZ99-BoC-Voice-VLAN125 network 10.50.125.0 255.255.255.0
ip dhcp excluded-address 10.50.126.1 10.50.126.16
ip dhcp excluded-address 10.50.126.250 10.50.126.254
ip dhcp pool ZZ99-BoC-NLAW101-VLAN2199
ip dhcp pool ZZ99-BoC-NLAW101-VLAN2199 default-router 10.x.x.x
ip dhcp pool ZZ99-BoC-NLAW101-VLAN2199 dns-server 10.x.x.x
ip dhcp pool ZZ99-BoC-NLAW101-VLAN2199 domain-name domain.com
ip dhcp pool ZZ99-BoC-NLAW101-VLAN2199 network 10.50.126.0 255.255.255.0
snmp-server community "****************"
syscontact "Alan Scott"
snmp-server host "10.x.x.x" version 2c "BoC-Test" udp-port "162"
vlan "RG01-ZZ99-BoC-Data-VLAN124" "124"
vlan "RG01-ZZ99-BoC-Voice-VLAN125" "125"
vlan "RG01-ZZ99-BoC-NLAW101-VLAN2199" "2199"
interface vlan 125
interface vlan 125 ip helper-address 10.x.x.x
interface vlan 125 description "RG01-ZZ99-BoC-Voice-VLAN125"
interface vlan 125 operstate up
interface vlan 2199
interface vlan 2199 ip helper-address 10.x.x.x 
interface vlan 2199 description "RG01-ZZ99-BoC-NLAW101-VLAN2199"
interface vlan 2199 operstate up
interface vlan 124
interface vlan 124 ip helper-address 10.8.28.100
interface vlan 124 description "RG01-ZZ99-BoC-Data-VLAN124"
interface vlan 124 operstate up
ip route 10.0.0.0 255.0.0.0 10.50.124.10
interface gigabitethernet "0/0/0"
interface gigabitethernet "0/0/0" speed auto
interface gigabitethernet "0/0/0" duplex auto
interface gigabitethernet "0/0/0" switchport mode access
interface gigabitethernet "0/0/0" switchport access vlan 124
interface gigabitethernet "0/0/0" description "Data VLAN 124"
interface gigabitethernet "0/0/0" trusted
interface gigabitethernet "0/0/1"
interface gigabitethernet "0/0/1" speed auto
interface gigabitethernet "0/0/1" duplex auto
interface gigabitethernet "0/0/1" switchport mode access
interface gigabitethernet "0/0/1" switchport access vlan 125
interface gigabitethernet "0/0/1" description "Voice VLAN 125"
interface gigabitethernet "0/0/1" trusted
no ip route 10.0.0.0 255.0.0.0 ipsec "BoC-Test"
ip route 10.0.0.0 255.0.0.0 ipsec "default-boc-bm-ipsecmap"
ip radius source-interface vlan "124"
mgmt-server type amp primary-server 10.50.19.217 profile "default-amp"
crypto-local isakmp key "******" address 0.0.0.0 netmask 255.255.255.255
crypto-local isakmp key "********" address 5.5.5.5 netmask 255.255.255.255
crypto-local ipsec-map "BoC-Test" 100
crypto-local ipsec-map "BoC-Test" 100 no disable
crypto-local ipsec-map "BoC-Test" 100 pre-connect disable
crypto-local ipsec-map "BoC-Test" 100 trusted enable
crypto-local ipsec-map "BoC-Test" 100 force-natt disable
crypto-local ipsec-map "BoC-Test" 100 peer-ip 5.5.5.5  <<<  The outside publicly route IP of my 7210
crypto-local ipsec-map "BoC-Test" 100 dst-net 10.0.0.0 255.0.0.0  <<<  I want all 10. traffic to the 7210 hub.
crypto-local ipsec-map "BoC-Test" 100 src-net 10.50.124.0 255.255.254.0   <<covers 2 of the 3 subnets at branch
crypto-local ipsec-map "BoC-Test" 100 set transform-set "default-boc-bm-transform"
crypto-local ipsec-map "BoC-Test" 100 no set ca-certificate
crypto-local ipsec-map "BoC-Test" 100 no set server-certificate
ip domain-name "domain.com"
ip name-server 10.x.x.x 
logging level warnings network
logging level warnings security
logging level warnings system
logging level warnings user
logging level warnings wireless
logging 10.50.19.3
mgmt-user "admin" "root" "******************************"
firewall dpi
branch config-id 24

You seem to have 3 IP routing statements in the configuration:

ip route 10.0.0.0 255.0.0.0 10.50.124.10

no ip route 10.0.0.0 255.0.0.0 ipsec "BoC-Test"
ip route 10.0.0.0 255.0.0.0 ipsec "default-boc-bm-ipsecmap"

I'm assuming the entry that has "no" in front of it is actually the one you want to use??

What does the branch controller show in it's routing table ('show ip route')?

Sorry for the late reply but I got this working with some help from the good folks at Aruba.  My requirement was to route all traffic to the master for corp and internet access.  However the branch controller automatically adds a route to the local area network (my home router/ISP) it is connected to that can not be removed.  I did not want to route traffic out that default route because my company uses websense URL filtering and we would not have that option at a branch site so I had to route it all back to the master.  To do this we added a PBR (Policy Based Routing) under the smart config routing section.  Simply said if you see any traffic from any of the upto 16 static subnets  on the branch to send them over the ipsec tunnel.  I also upgraded to AOS 6.5.0 so I can have upto 16 static subnets and option to use IP Helpers.  All works great.  If anyone has questions please let me know.

BTW I also put in a feature request to see if Aruba could support websense URL filter.  It would help us alot as I could then send internet traffic out locally at the branch site.  If you are reading this I would really appriciate it if you could help promote this idea on the feature request page.

https://arubanetworkskb.secure.force.com/cp/ideas/viewIdea.apexp?id=087330000004Kww