Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

IPsec vs GRE for APs to controller - which one would Aruba recommend

This thread has been viewed 8 times

  • 1.  IPsec vs GRE for APs to controller - which one would Aruba recommend

    Posted Jun 09, 2016 09:44 PM

    Dear All,

     

    If CPsec is not enabled, an AP will build GRE tunnels to the controller for each of its BSSIDs,

    If CPsec is enabled, the AP still builds GRE tunnels to the controller for each of its BSSIDs.

    #show datapath tunnel table | include <IP_address_of_AP>

     :

     :

    and I can see Protocol = 47 in the output.

     

    But when CPsec is enable, #show crypto ipsec sa     is telling me that each AP has an IPsec tunnel to the controller. 

     

    What is the use of this IPsec from the AP to the controller? MTU seems to be default at 1500 for Campus AP and this is standard for L3.

    Are all BSSID GREs now going into this IPsec and got the traffic encrypted?

     

    Thanks in advance,

    Kenneth

     



  • 2.  RE: IPsec vs GRE for APs to controller - which one would Aruba recommend

    EMPLOYEE
    Posted Jun 09, 2016 09:49 PM

    Turning on CPSEC only encrypts control plane traffic between the AP and the Controller, NOT data traffic.  That is still sent over GRE.  Without CPSEC, control plane traffic is sent using papi UDP 8211.



  • 3.  RE: IPsec vs GRE for APs to controller - which one would Aruba recommend

    Posted Jun 09, 2016 10:57 PM
    CPSec simply encrypts the control plane between the AP and Controller.

    To have the GRE tunnels wrapped inside IPSec, you would set the AP mode to RAP. Think of CPsec as a half step in that direction, while also enabling some modes like bridge or decrypt-tunnel where having the control plane secured (but not necessarily the data plane) could be beneficial.