Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Master - Local topology "disconnected" when activating Site-To-Site

This thread has been viewed 2 times

  • 1.  Master - Local topology "disconnected" when activating Site-To-Site

    Posted Oct 26, 2016 01:11 AM

    I am facing an issue when configuring and connecting Site-to-Site between master-local controller.

    All controller has been configured with VPN S2S, and tests run as exptected. Private client from A can ping/rdp to client on B.

     

    The problem is, the "master-local" connection shown  disconnected, when I enable S2S VPN. On master monitoring page, local controller and APs are down.

     

    Spoiler
    CONTROLLER MASTER 
Aruba 7210
Aruba OS 6.4.4.9

CONTROLLER LOCAL
ARUBA 7210
ARUBA OS 6.4.4.9

MASTER S2S CONFIG
crypto-local isakmp key [********] fqdn-any
crypto ipsec transform-set default-aes esp-aes256 esp-sha-hmac
crypto-local ipsec-map dyn-sts 100
  set ikev1-policy 0
  peer-ip 0.0.0.0
  peer-fqdn fqdn-id 100                           
  vlan 0
  src-net 192.168.0.0 255.255.255.0
  dst-net 192.168.101.0 255.255.255.0
  set transform-set "default-transform" 
  pre-connect disable
 factory-cert-auth disable
  trusted enable
  uplink-failover disable
  ip-compression disable
  force-natt enable
!


LOCAL S2S CONFIG
crypto-local isakmp key [*******] address [pbl.ip.mastr] netmask 255.255.255.255
crypto ipsec transform-set default-aes esp-aes256 esp-sha-hmac
crypto-local ipsec-map dyn-sts 100
  set ikev1-policy 0
  peer-ip [pbl.ip.mastr]
  local-fqdn 100                                  
  vlan 100
  src-net 192.168.101.0 255.255.255.0
  dst-net 192.168.0.0 255.255.255.0
  set transform-set "default-transform" 
  pre-connect enable
 factory-cert-auth disable
  trusted enable
  uplink-failover disable
  ip-compression disable
  force-natt enable
!


(LOCAL) #show crypto isakmp sa

ISAKMP SA Active Session Information
------------------------------------
Initiator IP     Responder IP   Flags       Start Time      Private IP      
------------     ------------   -----     ---------------   ----------      
192.168.100.254  [pbl.ip.mastr] i-a-p     Oct 26 11:00:39          -         


(LOCAL) #show crypto ipsec sa

IPSEC SA Active Session Information
-----------------------------------
Initiator IP     Responder IP     InitiatorID         ResponderID         Flags    Start Time      Inner IP      
------------     ------------     -----------         -----------         -----  ---------------   --------
192.168.100.254  [pbl.ip.mastr]   192.168.101.0/24    192.168.0.0/24      UT     Oct 26 10:49:36     -              

(MASTER) # show crypto isakmp sa

ISAKMP SA Active Session Information
------------------------------------
Initiator IP     Responder IP   Flags       Start Time      Private IP      
------------     ------------   -----     ---------------   ----------      
[pbl.ip.lcl]    172.16.0.2     r-a-p     Oct 26 11:10:41          -         



(MASTER) #show crypto ipsec sa

IPSEC SA Active Session Information
-----------------------------------
Initiator IP     Responder IP     InitiatorID         ResponderID         Flags    Start Time      Inner IP      
------------     ------------     -----------         -----------         -----  ---------------   --------
[pbl.ip.lcl]    172.16.0.2       192.168.101.0/24    192.168.0.0/24      UT     Oct 26 10:59:38     -

    is it possible to set S2S between master-local, without breaking "the" master-local connection?

     

     

     

    Thanks

    Yopianus Linga



  • 2.  RE: Master - Local topology "disconnected" when activating Site-To-Site

    EMPLOYEE
    Posted Oct 26, 2016 05:24 AM

    By default, a master/local has a site to site VPN already setup.  Why not reuse that connection for traffic?  Type "show ip route" to see what routes are available.  You can then write a route for whatever network you want to traverse over the ipsec connection.

     

     



  • 3.  RE: Master - Local topology "disconnected" when activating Site-To-Site

    Posted Oct 26, 2016 11:52 AM

    Hi Colin,

    I have checked the ip route output and there were only local controller that has ip route to "default-local-master-ipsec" listed; while on master controller, no ip route defined using ipsec.

     

    Master has static public IP address while local is dynamic address.

     

    On local, i have set static route to master-local-subnet thru IPSEC and it connected, but not the other way around.

     

    On master, do I have to defined local controller using its public ip?

     

    here are the output of both controller regarding IPSEC-MAP.

     

    Spoiler
    (MASTER) #show crypto-local ipsec-map

    Crypto Map Template"default-local-master-ipsecmap" 9999
         IKE Version: 1
         IKEv1 Policy: All
         Security association lifetime seconds : [300 -86400]
         Security association lifetime kilobytes: N/A
         PFS (Y/N): N
         Transform sets={ default-ml-transform }
         Peer gateway: 0.0.0.0
         Interface: VLAN 0
         Source network: 0.0.0.0/0.0.0.0
         Destination network: 0.0.0.0/0.0.0.0
         Pre-Connect (Y/N): N
         Tunnel Trusted (Y/N): Y
         Forced NAT-T (Y/N): N
         Uplink Failover (Y/N): N
         IP Compression (Y/N): Y

    (MASTER) #

    (MASTER) #show ip route

    Codes: C - connected, O - OSPF, R - RIP, S - static
           M - mgmt, U - route usable, * - candidate default, V - RAPNG VPN/Branch

    Gateway of last resort is Imported from DHCP to network 0.0.0.0 at cost 10
    Gateway of last resort is Imported from CELL to network 0.0.0.0 at cost 10
    Gateway of last resort is Imported from PPPOE to network 0.0.0.0 at cost 10
    Gateway of last resort is 172.16.0.1 to network 0.0.0.0 at cost 1
    S*    0.0.0.0/0  [1/0] via 172.16.0.1*
    ------> no ipsec

    (MASTER) #


    (LOCAL) #show crypto-local ipsec-map

    Crypto Map Template"default-local-master-ipsecmap" 9999
         IKE Version: 1
         IKEv1 Policy: All
         Security association lifetime seconds : [300 -86400]
         Security association lifetime kilobytes: N/A
         PFS (Y/N): N
         Transform sets={ default-ml-transform }
         Peer gateway: [pbl.ip.mastr]
         Interface: VLAN 0
         Source network: 192.168.100.254/255.255.255.255
         Destination network: 192.168.10.1/255.255.255.255
         Pre-Connect (Y/N): Y
         Tunnel Trusted (Y/N): Y
         Forced NAT-T (Y/N): N
         Uplink Failover (Y/N): N
         IP Compression (Y/N): Y

    (LOCAL) #

    (LOCAL) #show ip route

    Codes: C - connected, O - OSPF, R - RIP, S - static
           M - mgmt, U - route usable, * - candidate default, V - RAPNG VPN/Branch

    Gateway of last resort is Imported from DHCP to network 0.0.0.0 at cost 10
    Gateway of last resort is Imported from CELL to network 0.0.0.0 at cost 10
    Gateway of last resort is Imported from PPPOE to network 0.0.0.0 at cost 10
    Gateway of last resort is 192.168.100.1 to network 0.0.0.0 at cost 10
    S*    0.0.0.0/0  [10/0] via 192.168.100.1*
    S    192.168.0.0/24 [1/0] ipsec map default-local-master-ipsecmap  --> the default ipsec
    --
    --
    C    192.168.10.1/32 is an ipsec map default-local-master-ipsecmap --> new ip route through ipsec

    (LOCAL) #

    Thanks

    Yopianus Linga