06-09-2016 06:43 PM
If CPsec is not enabled, an AP will build GRE tunnels to the controller for each of its BSSIDs,
If CPsec is enabled, the AP still builds GRE tunnels to the controller for each of its BSSIDs.
#show datapath tunnel table | include <IP_address_of_AP>
and I can see Protocol = 47 in the output.
But when CPsec is enable, #show crypto ipsec sa is telling me that each AP has an IPsec tunnel to the controller.
What is the use of this IPsec from the AP to the controller? MTU seems to be default at 1500 for Campus AP and this is standard for L3.
Are all BSSID GREs now going into this IPsec and got the traffic encrypted?
Thanks in advance,
06-09-2016 06:48 PM
Turning on CPSEC only encrypts control plane traffic between the AP and the Controller, NOT data traffic. That is still sent over GRE. Without CPSEC, control plane traffic is sent using papi UDP 8211.
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
06-09-2016 07:57 PM
To have the GRE tunnels wrapped inside IPSec, you would set the AP mode to RAP. Think of CPsec as a half step in that direction, while also enabling some modes like bridge or decrypt-tunnel where having the control plane secured (but not necessarily the data plane) could be beneficial.