Wireless Access

Reply
Frequent Contributor I
Posts: 72
Registered: ‎02-28-2012

Master - Local topology "disconnected" when activating Site-To-Site

[ Edited ]

I am facing an issue when configuring and connecting Site-to-Site between master-local controller.

All controller has been configured with VPN S2S, and tests run as exptected. Private client from A can ping/rdp to client on B.

 

The problem is, the "master-local" connection shown  disconnected, when I enable S2S VPN. On master monitoring page, local controller and APs are down.

 

Spoiler
CONTROLLER MASTER 
Aruba 7210
Aruba OS 6.4.4.9

CONTROLLER LOCAL
ARUBA 7210
ARUBA OS 6.4.4.9

MASTER S2S CONFIG
crypto-local isakmp key [********] fqdn-any
crypto ipsec transform-set default-aes esp-aes256 esp-sha-hmac
crypto-local ipsec-map dyn-sts 100
  set ikev1-policy 0
  peer-ip 0.0.0.0
  peer-fqdn fqdn-id 100                           
  vlan 0
  src-net 192.168.0.0 255.255.255.0
  dst-net 192.168.101.0 255.255.255.0
  set transform-set "default-transform" 
  pre-connect disable
 factory-cert-auth disable
  trusted enable
  uplink-failover disable
  ip-compression disable
  force-natt enable
!


LOCAL S2S CONFIG
crypto-local isakmp key [*******] address [pbl.ip.mastr] netmask 255.255.255.255
crypto ipsec transform-set default-aes esp-aes256 esp-sha-hmac
crypto-local ipsec-map dyn-sts 100
  set ikev1-policy 0
  peer-ip [pbl.ip.mastr]
  local-fqdn 100                                  
  vlan 100
  src-net 192.168.101.0 255.255.255.0
  dst-net 192.168.0.0 255.255.255.0
  set transform-set "default-transform" 
  pre-connect enable
 factory-cert-auth disable
  trusted enable
  uplink-failover disable
  ip-compression disable
  force-natt enable
!


(LOCAL) #show crypto isakmp sa

ISAKMP SA Active Session Information
------------------------------------
Initiator IP     Responder IP   Flags       Start Time      Private IP      
------------     ------------   -----     ---------------   ----------      
192.168.100.254  [pbl.ip.mastr] i-a-p     Oct 26 11:00:39          -         


(LOCAL) #show crypto ipsec sa

IPSEC SA Active Session Information
-----------------------------------
Initiator IP     Responder IP     InitiatorID         ResponderID         Flags    Start Time      Inner IP      
------------     ------------     -----------         -----------         -----  ---------------   --------
192.168.100.254  [pbl.ip.mastr]   192.168.101.0/24    192.168.0.0/24      UT     Oct 26 10:49:36     -              

(MASTER) # show crypto isakmp sa

ISAKMP SA Active Session Information
------------------------------------
Initiator IP     Responder IP   Flags       Start Time      Private IP      
------------     ------------   -----     ---------------   ----------      
[pbl.ip.lcl]    172.16.0.2     r-a-p     Oct 26 11:10:41          -         



(MASTER) #show crypto ipsec sa

IPSEC SA Active Session Information
-----------------------------------
Initiator IP     Responder IP     InitiatorID         ResponderID         Flags    Start Time      Inner IP      
------------     ------------     -----------         -----------         -----  ---------------   --------
[pbl.ip.lcl]    172.16.0.2       192.168.101.0/24    192.168.0.0/24      UT     Oct 26 10:59:38     -              

is it possible to set S2S between master-local, without breaking "the" master-local connection?

 

 

 

Thanks

Yopianus Linga

Guru Elite
Posts: 21,587
Registered: ‎03-29-2007

Re: Master - Local topology "disconnected" when activating Site-To-Site

By default, a master/local has a site to site VPN already setup.  Why not reuse that connection for traffic?  Type "show ip route" to see what routes are available.  You can then write a route for whatever network you want to traverse over the ipsec connection.

 

 



Colin Joseph
Aruba Customer Engineering

Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base

Frequent Contributor I
Posts: 72
Registered: ‎02-28-2012

Re: Master - Local topology "disconnected" when activating Site-To-Site

Hi Colin,

I have checked the ip route output and there were only local controller that has ip route to "default-local-master-ipsec" listed; while on master controller, no ip route defined using ipsec.

 

Master has static public IP address while local is dynamic address.

 

On local, i have set static route to master-local-subnet thru IPSEC and it connected, but not the other way around.

 

On master, do I have to defined local controller using its public ip?

 

here are the output of both controller regarding IPSEC-MAP.

 

Spoiler
(MASTER) #show crypto-local ipsec-map

Crypto Map Template"default-local-master-ipsecmap" 9999
     IKE Version: 1
     IKEv1 Policy: All
     Security association lifetime seconds : [300 -86400]
     Security association lifetime kilobytes: N/A
     PFS (Y/N): N
     Transform sets={ default-ml-transform }
     Peer gateway: 0.0.0.0
     Interface: VLAN 0
     Source network: 0.0.0.0/0.0.0.0
     Destination network: 0.0.0.0/0.0.0.0
     Pre-Connect (Y/N): N
     Tunnel Trusted (Y/N): Y
     Forced NAT-T (Y/N): N
     Uplink Failover (Y/N): N
     IP Compression (Y/N): Y

(MASTER) #

(MASTER) #show ip route

Codes: C - connected, O - OSPF, R - RIP, S - static
       M - mgmt, U - route usable, * - candidate default, V - RAPNG VPN/Branch

Gateway of last resort is Imported from DHCP to network 0.0.0.0 at cost 10
Gateway of last resort is Imported from CELL to network 0.0.0.0 at cost 10
Gateway of last resort is Imported from PPPOE to network 0.0.0.0 at cost 10
Gateway of last resort is 172.16.0.1 to network 0.0.0.0 at cost 1
S*    0.0.0.0/0  [1/0] via 172.16.0.1*
------> no ipsec

(MASTER) #


(LOCAL) #show crypto-local ipsec-map

Crypto Map Template"default-local-master-ipsecmap" 9999
     IKE Version: 1
     IKEv1 Policy: All
     Security association lifetime seconds : [300 -86400]
     Security association lifetime kilobytes: N/A
     PFS (Y/N): N
     Transform sets={ default-ml-transform }
     Peer gateway: [pbl.ip.mastr]
     Interface: VLAN 0
     Source network: 192.168.100.254/255.255.255.255
     Destination network: 192.168.10.1/255.255.255.255
     Pre-Connect (Y/N): Y
     Tunnel Trusted (Y/N): Y
     Forced NAT-T (Y/N): N
     Uplink Failover (Y/N): N
     IP Compression (Y/N): Y

(LOCAL) #

(LOCAL) #show ip route

Codes: C - connected, O - OSPF, R - RIP, S - static
       M - mgmt, U - route usable, * - candidate default, V - RAPNG VPN/Branch

Gateway of last resort is Imported from DHCP to network 0.0.0.0 at cost 10
Gateway of last resort is Imported from CELL to network 0.0.0.0 at cost 10
Gateway of last resort is Imported from PPPOE to network 0.0.0.0 at cost 10
Gateway of last resort is 192.168.100.1 to network 0.0.0.0 at cost 10
S*    0.0.0.0/0  [10/0] via 192.168.100.1*
S    192.168.0.0/24 [1/0] ipsec map default-local-master-ipsecmap  --> the default ipsec
--
--
C    192.168.10.1/32 is an ipsec map default-local-master-ipsecmap --> new ip route through ipsec

(LOCAL) #

Thanks

Yopianus Linga

Search Airheads
Showing results for 
Search instead for 
Did you mean: