Wireless Access

Reply
Occasional Contributor II
Posts: 21
Registered: ‎05-16-2011

IPsec vs GRE for APs to controller - which one would Aruba recommend

Dear All,

 

If CPsec is not enabled, an AP will build GRE tunnels to the controller for each of its BSSIDs,

If CPsec is enabled, the AP still builds GRE tunnels to the controller for each of its BSSIDs.

#show datapath tunnel table | include <IP_address_of_AP>

 :

 :

and I can see Protocol = 47 in the output.

 

But when CPsec is enable, #show crypto ipsec sa     is telling me that each AP has an IPsec tunnel to the controller. 

 

What is the use of this IPsec from the AP to the controller? MTU seems to be default at 1500 for Campus AP and this is standard for L3.

Are all BSSID GREs now going into this IPsec and got the traffic encrypted?

 

Thanks in advance,

Kenneth

 

Guru Elite
Posts: 21,270
Registered: ‎03-29-2007

Re: IPsec vs GRE for APs to controller - which one would Aruba recommend

Turning on CPSEC only encrypts control plane traffic between the AP and the Controller, NOT data traffic.  That is still sent over GRE.  Without CPSEC, control plane traffic is sent using papi UDP 8211.



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Guest Blogger
Posts: 1
Registered: ‎06-09-2016

Re: IPsec vs GRE for APs to controller - which one would Aruba recommend

CPSec simply encrypts the control plane between the AP and Controller.

To have the GRE tunnels wrapped inside IPSec, you would set the AP mode to RAP. Think of CPsec as a half step in that direction, while also enabling some modes like bridge or decrypt-tunnel where having the control plane secured (but not necessarily the data plane) could be beneficial.
Search Airheads
Showing results for 
Search instead for 
Did you mean: