Wireless Access

How to provision RAP via Internet ? are the anybody have the experiance can help us ?

1.Our controller is VMC in standlone mode have the public ip 47.104.193.111

(AOS83) [mynode] (config) #show license limits

License Limits
--------------
Limit Value
----- -----
1000 Access Points
0 RF Protect
0 120abg Upgrade
0 121abg Upgrade
0 124abg Upgrade
0 125abg Upgrade
1000 Next Generation Policy Enforcement Firewall Module
0 Advanced Cryptography
0 Service provider AP
0 WebCC
0 Beta AP
0 MM-VA
1000 MC-VA-RW
0 MC-VA-EG
0 MC-VA-IL
0 MC-VA-JP
0 MC-VA-US
0 VIA
(AOS83) [mynode] (config) #

 

2. we try to connet our RAP to this VMC, but we get the followed error information

(AOS83) [mynode] (config) #show crypto isakmp sa

ISAKMP SA Active Session Information
------------------------------------
Initiator IP Responder IP Flags Start Time Private IP
------------ ------------ ----- --------------- ----------
36.110.67.20 172.31.4.51 r-v2-c-R Jun 23 16:33:35 172.16.2.19

Flags: i = Initiator; r = Responder
m = Main Mode; a = Agressive Mode; v2 = IKEv2
p = Pre-shared key; c = Certificate/RSA Signature; e = ECDSA Signature
x = XAuth Enabled; y = Mode-Config Enabled; E = EAP Enabled
3 = 3rd party AP; C = Campus AP; R = RAP; Ru = Custom Certificate RAP; I = IAP
V = VIA; S = VIA over TCP

Total ISAKMP SAs: 1
(AOS83) [mynode] (config) #show crypto ipsec sa

IPSEC SA (V2) Active Session Information
-----------------------------------
Initiator IP Responder IP SPI(IN/OUT) Flags Start Time Inner IP
------------ ------------ ---------------- ----- --------------- --------
36.110.67.20 172.31.4.51 f860b400/56798a00 UT2 Jun 23 16:33:43 172.16.2.22

Flags: T = Tunnel Mode; E = Transport Mode; U = UDP Encap
L = L2TP Tunnel; N = Nortel Client; C = Client; 2 = IKEv2

Total IPSEC SAs: 1

cloudq,

 

You are in a chicken-and-egg situation:

 

- A VMC does not have a TPM (trusted platform module) so you cannot just connect a remote AP using the RAP Console (which uses certificates).  That is why you are getting the selfsigned_verify_failed error.

 

You would have to connect the RAP as a Campus AP to the VMC and then use a username/password preshared key to provision it.  If you can get the RAP on the same network as the VMC, you will then be able to enter the preshared key, username and password.  If you cannot do that, it would be impossible to connect the RAP the RAPConsole way, because the Rapconsole only uses certificates.

Hi

I image that you could setup the RAP via CLI by stopping the boot process and entering the vmc IP address and username and password into the settings. On the vmc you then need to setup the user account for RAP.

At this moment I am not able to test this, family needs attention.

Hope it helps.

There are a couple problems with that:

 

1.  The user would need a console cable for the RAP109 to attempt this. 

 

2.  In addition, the username is in cleartext, but the password and IKE preshared key are in an encrypted format that the user won't be able to enter via the console....that is why the user would need to provision the RAP function while the RAP109 is connected to the controller as a campus AP..

 

 

Hi

Check.

An unsafe and insecure temporarily option could be to open the PAPI ports from internet to be able to get the RAP as CAP first and then provision it

And limit the ACL for the open PAPI port on source ip

could you tell us how to open the papi port ?

Is there a firewall between the internet and the vmc?

yes there are firewall with nat between VMC and RAP

 

VMC vlan1 ip 172.31.5.51 

VMC firewall IP 47.104.193.111

there are 1:1 nat between VMC and firewall

Which ports are open in the access lists in the firewall?

 

 

our firewall open all of the udp and tcp port from 1-65535 for our ip address 47.104.193.111, we open all of the inside and outside policy for tcp/udp and some other protocols

 

Hi

 

The VMC is 172.31.4.51 not 172.31.5.51.

 

 

Yes, our VMC local address is 172.31.4.51

Hi

Have you tried to setup the RAP as CAP pointing to the cloud vmc ?

Enter the master ip via ap boot setenv.

Make sure that the vmc has cpsec turned off
(Is this vmc in production yet?)

Dear Mr

 

1.we indeed have the console cable, and we also can access apboot to do the setenv operation, but we do not know what we shut input ?

 

2.we can not access the VMC in local network, because It is on the Cloud Server from Internet. What should we do now ?

 

3. Can we image that we can install another VMC in our Local network to setup the RAP then connect this rap to the public ip VMC from Internet ?If this way are workable ?

Hi

3 might work. Provision the RAP as CAP on the local vmc, then provision it as RAP with username and password. Make sure you enter the username and password in the cloud vmc.

Hope this helps

Yes ,we can access the apboot from console, and If you have any rap inhand ,we can tell you our VMC IP address and administrator username, you can try and help us

 

our VMC Public IP is 47.104.193.111 you can access it by http or ssh

and the manager username is admin password is 123456qq

you can try to check them.Thanks

please don't send usernames and password in posts, but in a private message.

 

 

Thanks for your advice, this platform is for our test only, so no problem.

We have told you our VMC IP and admin passwd, you can try to ssh or web login for testing, if you have some ap rap in hand, we just want to know how to finish our rap provision ?

 

our VMC can not find our Rap now.

Do you know which ports are open in the firewall between the internet and the VMC?

 

The VMC has an private IP address, so there is a firewall in between.

 

 

Hi

 

At the moment i have tested with an old 105. I connected it to my lab MC (8.2.1.1), then provisioned it to your VMC.

For the moment it doesn't connect correctly to your VMC.

 

I can try again later, but for now i am going to sleep as it is 3am, sorry. Even i need some sleep :)

Hi

 

If you don't need 8.3.0.0 because of newer AP's (303,345,318) please use 8.2.1.1

 

 

VMC 8.3 and 8.2.1 all support AP105, I also use AP105 and RAP109,all of them use the same firmware from VMC mips32.ari

(AOS83) [mynode] #show crypto ipsec sa

IPSEC SA Active Session Information
-----------------------------------
Initiator IP Responder IP InitiatorID ResponderID Flags Start Time Inner IP
------------ ------------ ----------- ----------- ----- --------------- --------
84.245.54.163 172.31.4.51 172.16.1.48/32 0.0.0.0/0 UT Jun 24 09:09:20 172.16.1.48

 

pleae check if the ip 84.245.54.163 is from you ?

Yes

That’s mine

Hi

 

Both your AP as mine keep changing L2TP IP. Both are giving the right system role, when they are connected. 

Maybe packetloss is causing the issue of IPSEC tunnel flapping.

 As far as I see now the last step or two steps are failing.

 

Hi

Part of the log:

 

Jun 25 05:52:05 :103063: <3883> <DBUG> |ike| 36.110.67.20:57703-> InKe responder: grp:ike 2
Jun 25 05:52:05 :103063: <3883> <DBUG> |ike| 36.110.67.20:57703-> IKE_checkGroup good dh:2
Jun 25 05:52:05 :103063: <3883> <DBUG> |ike| 36.110.67.20:57703-> InKe precomputed pDHctx 0x2dafce0
Jun 25 05:52:05 :103063: <3883> <DBUG> |ike| 36.110.67.20:57703-> InKe (initiator:NO) skipping DH2 and punting it to ikeDHTask
Jun 25 05:52:05 :103063: <3883> <DBUG> |ike| 36.110.67.20:57703-> AUTH_HMAC_SHA1_96 DH_2 Notify: NAT_DETECTION_SOURCE_IP NAT_D (peer/NAT): 5d 18 be b0 4c 80
Jun 25 05:52:05 :103063: <3883> <DBUG> |ike| 36.110.67.20:57703-> 50 c5 bd 06 a2 3c 83 7e 4e 62 c4 08 03 5f
Jun 25 05:52:05 :103063: <3883> <DBUG> |ike| 36.110.67.20:57703-> Notify: NAT_DETECTION_DESTINATION_IP NAT_D (us/NAT): d9 bc a4 95 e8 9c 9a 9e f1 0a b8 57 74 7b
Jun 25 05:52:05 :103063: <3883> <DBUG> |ike| 36.110.67.20:57703-> 23 ce df 84 84 69
Jun 25 05:52:05 :103063: <3883> <DBUG> |ike| 36.110.67.20:57703-> InVid
Jun 25 05:52:05 :103063: <3883> <DBUG> |ike| 36.110.67.20:57703-> VID: 40 48 b7 d5 6e bc e8 85 25 e7 de 7f 00 d6 c2 d3
Jun 25 05:52:05 :103063: <3883> <DBUG> |ike| 36.110.67.20:57703-> Aruba Fragmentation request is received
Jun 25 05:52:05 :103063: <3883> <DBUG> |ike| 36.110.67.20:57703-> Enabling Fragmentation for this SA
Jun 25 05:52:05 :103063: <3883> <DBUG> |ike| 36.110.67.20:57703-> InVid
Jun 25 05:52:05 :103063: <3883> <DBUG> |ike| 36.110.67.20:57703-> VID: ca 3e 2b 85 4b a8 03 00 17 dc 10 23 a4 fd e2 04 1f 9f 74 63
Jun 25 05:52:05 :103063: <3883> <DBUG> |ike| 36.110.67.20:57703-> Aruba RAP detected
Jun 25 05:52:05 :103063: <3883> <DBUG> |ike| 36.110.67.20:57703-> InVid
Jun 25 05:52:05 :103063: <3883> <DBUG> |ike| 36.110.67.20:57703-> VID: bb 4f ff d1 8f 6e c5 b1 be ee 5e e1 11 38 4d 8f 69 37 28 bb 24 f2 7f ca f2 2a
Jun 25 05:52:05 :103063: <3883> <DBUG> |ike| 36.110.67.20:57703-> check_aruba_vid: aruba ap eth0 mac address 24f27fcaf22a
Jun 25 05:52:05 :103063: <3883> <DBUG> |ike| 36.110.67.20:57703-> InVid
Jun 25 05:52:05 :103063: <3883> <DBUG> |ike| 36.110.67.20:57703-> VID: 46 a2 59 57 34 2a e8 09 8e ec e5 b9 f9 9f 0c 8c d4 f1 3d ba 96 16 f2 f9 0a 1b 88 ae 31
Jun 25 05:52:05 :103063: <3883> <DBUG> |ike| 36.110.67.20:57703-> check_aruba_vid: vlen 29 aruba ap cookie 9616f2f90a1b88ae ap err 31
Jun 25 05:52:05 :103063: <3883> <DBUG> |ike| 36.110.67.20:57703-> Logging AP Error Vendor ID in debug infra
Jun 25 05:52:05 :103063: <3883> <DBUG> |ike| 36.110.67.20:57703-> InVid
Jun 25 05:52:05 :103063: <3883> <DBUG> |ike| 36.110.67.20:57703-> VID: 17 25 f0 89 27 42 ea 52 3b 79 ec 84 8c 97 20 1a 30 94 d6 c5
Jun 25 05:52:05 :103063: <3883> <DBUG> |ike| 36.110.67.20:57703-> Detected peer using TPM
Jun 25 05:52:05 :103063: <3883> <DBUG> |ike| 36.110.67.20:57703-> IKE2_msgRecv_resume:DH SW accel pending enqueue it
Jun 25 05:52:05 :103063: <3883> <DBUG> |ike| 36.110.67.20:57703-> enqueueToIkeTask: IKE Msg added to queue of thread IKE_DH2Task:1 do sem_post
Jun 25 05:52:05 :103063: <3883> <DBUG> |ike| 36.110.67.20:57703-> udp_encap_handle_message IKEv2 pkt status:0
Jun 25 05:52:05 :103063: <4495> <DBUG> |ike| ikeTaskMain() message recieved IKE_DH2Task:1.
Jun 25 05:52:05 :103063: <4495> <DBUG> |ike| ikeTaskMain(): message type:1 ike_msg_id cookie 246e4314:e167.
Jun 25 05:52:05 :103063: <3883> <DBUG> |ike| ipc_ike_recv_packet:ike_msg_id cookie 246e4314:e167.
Jun 25 05:52:05 :103063: <3883> <DBUG> |ike| OutTfm_R
Jun 25 05:52:05 :103063: <3883> <DBUG> |ike| OutKe Responder grp:ike 2
Jun 25 05:52:05 :103063: <3883> <DBUG> |ike| <-- R NAT_D (us): 3d e4 fb 69 8b 0b 65 a3 90 48 4f e4 99 57 c2 88 7a 80 5f b8
Jun 25 05:52:05 :103063: <3883> <DBUG> |ike| NAT_D (peer): 65 5c 85 60 42 9c f0 9f e8 28 40 1c 1a ab d3 d8 58 df 52 e9
Jun 25 05:52:05 :103063: <3883> <DBUG> |ike| OutVid: added Fragmentation vendor-id
Jun 25 05:52:05 :103063: <3883> <DBUG> |ike| #SEND 525 bytes to 36.110.67.20(57703) (11912.121)
Jun 25 05:52:05 :103063: <3883> <DBUG> |ike| IKE_SAMPLE_ikeXchgSend: server instance 0
Jun 25 05:52:05 :103063: <3883> <DBUG> |ike| cleanup_and_free_context delete ctx memory
Jun 25 05:52:05 :103063: <3883> <DBUG> |ike| initR_in_Continued: IKE2_msgRecv_resume status:0

 

 

please check your ap, and I have the tun0 up dan get the ip address, but I still can not see my ap in VMC

 

tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:172.16.200.86 P-t-P:172.16.200.86 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1300 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:64
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

~ # route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
47.104.193.111 172.16.5.1 255.255.255.255 UGH -3 0 0 br0
172.31.4.51 0.0.0.0 255.255.255.255 UH 0 0 0 tun0
172.16.5.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
192.168.11.0 0.0.0.0 255.255.255.0 U 0 0 0 br0
0.0.0.0 0.0.0.0 0.0.0.0 U 0 0 0 tun0
0.0.0.0 172.16.5.1 0.0.0.0 UG -3 0 0 br0
~ #

Hi,

 

My AP shows the same.

 

 

VMC vlan1 ip 172.31.4.51 

VMC firewall IP 47.104.193.111

 

you can give us your 105 mac address, we can add them to the white list

Dear Cjoseph

 

1.We are very happy to get your reply with very important information as follow:

- A VMC does not have a TPM (trusted platform module) so you cannot just connect a remote AP using the RAP Console (which uses certificates).  That is why you are getting the selfsigned_verify_failed error.

and we know the reasone why we can not connect to the VMC.

2.just as you say, we can not access the VMC in the same local network, because our VMC is in Cloud Server from Internet 

 

You would have to connect the RAP as a Campus AP to the VMC and then use a username/password preshared key to provision it.  If you can get the RAP on the same network as the VMC, you will then be able to enter the preshared key, username and password.  If you cannot do that, it would be impossible to connect the RAP the RAPConsole way, because the Rapconsole only uses certificates.

 

and are there any some other way to do this ?we can only connnect our VMC from Internet.