Wireless Access

last person joined: 19 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Virtual Mobility Controller and IAP-VPN

This thread has been viewed 57 times

  • 1.  Virtual Mobility Controller and IAP-VPN

    Posted Mar 27, 2017 09:01 AM

    Hi,

     

    I try the VMC (Virtual Mobility Controller) 8.0.1 with IAP-VPN but don't work...

     

    i get the following error on security log :

    isakmpd[5126]: <103061> <5126> <ERRS> |ike|   IKE_CUSTOM_useCert: can't find Server-Cert

     

    Any idea ?



  • 2.  RE: Virtual Mobility Controller and IAP-VPN

    Posted Apr 24, 2017 11:14 PM

    This must be something to do with the fact that the x86 VMC doesn't have a TPM / factory cert.

     

    I'm getting exactly the same behaviour when trying to convert an IAP-207 to a RAP:

     

    From Controller:

    Apr 25 15:08:58 <isakmpd 103061> <5314> <ERRS> |ike| IKE_CUSTOM_useCert: can't find Server-Cert
    Apr 25 15:10:02 <isakmpd 103061> <5314> <ERRS> |ike| IKE_CUSTOM_useCert: can't find Server-Cert
    Apr 25 15:11:05 <isakmpd 103061> <5314> <ERRS> |ike| IKE_CUSTOM_useCert: can't find Server-Cert

     

    2017-04-25 03:09:32 ConnectTo: <public IP>
    2017-04-25 03:09:32 SEND: cf1a3837ac4d970a : 0000000000000000 , np=33, EXHG: IKE_SA_INIT
    2017-04-25 03:09:33 RECV: cf1a3837ac4d970a : 0000000000000000 , np=41, EXHG: IKE_SA_INIT
    2017-04-25 03:09:33 SEND: cf1a3837ac4d970a : 0000000000000000 , np=41, EXHG: IKE_SA_INIT
    2017-04-25 03:09:33 RECV: cf1a3837ac4d970a : 9d7fafd274f753f0 , np=33, EXHG: IKE_SA_INIT
    2017-04-25 03:09:33 SEND: cf1a3837ac4d970a : 9d7fafd274f753f0 , np=46, EXHG: IKE_AUTH
    2017-04-25 03:09:37 SEND: cf1a3837ac4d970a : 9d7fafd274f753f0 , np=46, EXHG: IKE_AUTH
    2017-04-25 03:09:43 SEND: cf1a3837ac4d970a : 9d7fafd274f753f0 , np=46, EXHG: IKE_AUTH
    2017-04-25 03:09:48 SEND: cf1a3837ac4d970a : 9d7fafd274f753f0 , np=46, EXHG: IKE_AUTH
    2017-04-25 03:09:53IKE FAILED err: RC_ERROR_IKEP2_PKT1

     

     



  • 3.  RE: Virtual Mobility Controller and IAP-VPN

    MVP GURU
    Posted Jun 29, 2017 12:45 PM
    @Anonymous wrote:

    This must be something to do with the fact that the x86 VMC doesn't have a TPM / factory cert.


    Yes...

     

    No news/idea ?



  • 4.  RE: Virtual Mobility Controller and IAP-VPN

    Posted Jul 21, 2017 02:00 PM

    Anything new on this VPN issue with Virtual Controller to solve?

     

    Att,

    apaiva



  • 5.  RE: Virtual Mobility Controller and IAP-VPN

    MVP GURU
    Posted Aug 10, 2017 10:51 AM
    @apaiva@arpsist.com.br wrote:

    Anything new on this VPN issue with Virtual Controller to solve?

     

    Att,

    apaiva

    Get a feedback of TAC, need to try with custom certificate...



  • 6.  RE: Virtual Mobility Controller and IAP-VPN

    Posted Sep 06, 2017 12:10 PM

    Hello,

     

    It seems that IAP VPN is only supported on hardware controllers.

     

    http://www.arubanetworks.com/techdocs/ArubaOS_801_Web_Help/Web_Help_Index.htm#ArubaFrameStyles/IAP VPN Support/IAP_VPN_Support.htm%3FTocPath%3DArubaOS%2520User%2520Guide%7CInstant%2520AP%2520VPN%2520Support%7C_____0

     

     
    IAP VPN is supported only on hardware mobility controllers (7000 Series and 7200 Series) including controllers that are stand-alone or managed by Mobility Master. However, IAP VPN termination is not currently supported on virtual mobility controllers. Masters (Mobility Master and Master Controller Mode) do not support any AP termination including campus APs, remote APs and IAP VPN tunnels.



  • 7.  RE: Virtual Mobility Controller and IAP-VPN

    MVP GURU
    Posted Sep 18, 2017 11:49 AM

    Yes, it is only supported on hardware controller...

     

    but you can use GRE Tunnel !



  • 8.  RE: Virtual Mobility Controller and IAP-VPN

    Posted May 07, 2018 08:03 AM

    Hello there

    How can I start with GRE tunnel between IAP and virtual controler ver.8.3? Its not working for me.



  • 9.  RE: Virtual Mobility Controller and IAP-VPN

    EMPLOYEE
    Posted May 07, 2018 08:26 AM

    Please see the "ArubaOS 8.3.0.x User Guide.pdf" guide here:  https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/EntryId/29620/Default.aspx  Download the PDF and go to Chapter 45 (page 1019), "Instant IAP-VPN Support" to get started.  There is a subsection called "VPN configuration" that describes how to configure IAP-VPN.



  • 10.  RE: Virtual Mobility Controller and IAP-VPN

    MVP GURU
    Posted May 25, 2018 05:05 AM
    @cjoseph wrote:

    Please see the "ArubaOS 8.3.0.x User Guide.pdf" guide here:  https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/EntryId/29620/Default.aspx  Download the PDF and go to Chapter 45 (page 1019), "Instant IAP-VPN Support" to get started.  There is a subsection called "VPN configuration" that describes how to configure IAP-VPN.

    There is only

     

    Starting from ArubaOS 8.3.0.0, IAP-VPN is supported on Mobility Controller Virtual Appliance by using default
    self-signed certificate (Aruba PKI). For Instant AP to establish IPsec connection with Mobility Controller Virtual
    Appliance, the controller presents a default self-signed certificate which is uploaded on the Instant AP using
    Activate.

     

    I will be nice to have a real example...



  • 11.  RE: Virtual Mobility Controller and IAP-VPN

    Posted Oct 26, 2018 06:42 AM

    Same problem here. Is there a certificate required to be deployed to the iaps? How would you do that by using Aruba Activate? Didn't found any rule which would fit for this requirement... Maybe we also need a 'crypto isakmp ca' installed on the vmc?

     

    Any advice would be really helpful.



  • 12.  RE: Virtual Mobility Controller and IAP-VPN

    Posted Oct 26, 2018 07:51 AM

    Hi,

    I was able to resolve without the certificate as follows:

     

    1. Create a user and password on the internal base of the controller (Configuration > Authentication > Auth Servers > All Server > Internal > User + "user+password+role_authentication");


    2. Create a "Shared Secrets" in VPN Services (Configuration > Services > VPN > Shared Secrets > IKE Shared Secrets + Subnet:0.0.0.0 | Subnet mask: 0.0.0.0 | Representation type: Text-based | "password");


    3. Converter the IAP to CAP mode (Can not IAP Mode Converter to RAP Directly);


    4. With the AP converted to CAP mode on the controller, RAP mode converter by placing as user information + IKE_PSK_Shared_Secrets (Configuration > Access Points > Campus APs > "Select AP Campus" > Provision > Remote_AP_Yes> Remote AP Authentication Method: "Pre-shared Key").

     

     



  • 13.  RE: Virtual Mobility Controller and IAP-VPN

    Posted Oct 26, 2018 08:31 AM

    Thanks @apaiva for your detailed workaround. But the custumor would require a solution which scales better to deploy muliple batches of IAPs for IAP-VPN.



  • 14.  RE: Virtual Mobility Controller and IAP-VPN

    Posted Oct 26, 2018 09:32 AM

    1. With this Virtual solution is suffering a lot .... Unfortunately I could only solve it that way. You can even batch convert IAP (cluster) to CAP, but CAP to RAP only individually.

       

       

    2. I have two open cases for virtual contoller:

      1. About Fallback mode for Wired ports (model IAP-205H and IAP-303H). Where LAN ports do not navigate in fallback mode;

      2. Navigation  problem when tunnel mode, when using ports aggregations in vmware.

    Suddenly, somebody can help me! :)



  • 15.  RE: Virtual Mobility Controller and IAP-VPN

    MVP GURU
    Posted Oct 30, 2018 11:08 AM
    @apaiva wrote:

    1. With this Virtual solution is suffering a lot .... Unfortunately I could only solve it that way. You can even batch convert IAP (cluster) to CAP, but CAP to RAP only individually.

       

       

    2. I have two open cases for virtual contoller:

      1. About Fallback mode for Wired ports (model IAP-205H and IAP-303H). Where LAN ports do not navigate in fallback mode;

       

      2. Navigation  problem when tunnel mode, when using ports aggregations in vmware.

    Suddenly, somebody can help me! :)

    For 2.2 (vmware), it is no a MTU issue ?

     

    And yes, if you are using RAP, it is better to use hardware controller...



  • 16.  RE: Virtual Mobility Controller and IAP-VPN

    Posted Oct 30, 2018 01:07 PM

    Hi @alagoutte

     

    This MTU in the Conotroller configuration and vmware has already been adjusted by support Aruba

    Aruba:
    Configuration> AP Groups> "MyGroup"> Profile> AP> AP System> "RAP MTU" and "SAP MTU". Unsuccessfully.

    vmware:
    Edit Advanced vSphere Distributed Switch Settings

    Procedure:
    1. Log in to the vSphere Client and select the Networking inventory view;
    2. Right-click the vSphere distributed switch in the inventory pane, and select Edit Settings;

    3. Select Advanced to edit the following vSphere distributed switch settings.
    Unsuccessfully.

     

    Thanks for the sugestion.

    Regarding RAP, we can not buy hardware. No way.



  • 17.  RE: Virtual Mobility Controller and IAP-VPN

    MVP GURU
    Posted Oct 31, 2018 04:54 AM

    Where the port aggregation is used ?



  • 18.  RE: Virtual Mobility Controller and IAP-VPN

    Posted Oct 31, 2018 07:43 AM

    Hi @alagoutte,

     

    In the Controller there are no aggregated ports, we are only using the ge-0/0/0 interface. This aggregation is performed on the physical ports of the blade server (v-switch) where it has an internal v-switch to the network core switch (which has aggregation and vlan trunk all). Isolation has already been performed using only 1 v-switch interface, but the problem has not been solved.

    In this same client, there is a server with vmware (which is not a blade) where we perform the same settings restore (of that ArubaOS that is in trouble) and it works normally, without problem in the navigation of the device.

     

    att,

    apaiva



  • 19.  RE: Virtual Mobility Controller and IAP-VPN

    MVP GURU
    Posted Oct 31, 2018 11:38 AM

    Ok, it is very specific... need to see with TAC



  • 20.  RE: Virtual Mobility Controller and IAP-VPN

    Posted Mar 06, 2020 06:50 AM

    Is there any other way to set up the VPN that deploying certificates with Activate? Can be the certificates deployed with Airwave on RW mode? Is it mandatory to use Activate?



  • 21.  RE: Virtual Mobility Controller and IAP-VPN

    MVP GURU
    Posted Mar 06, 2020 07:40 AM

    You can deploy certificate using AirWave



  • 22.  RE: Virtual Mobility Controller and IAP-VPN

    Posted Mar 09, 2020 04:43 AM

    Do you know which certificate upload option is the one to be used? I already asked that before but noone replied. Is it the custom SSL cert?

     

    https://community.arubanetworks.com/t5/Wireless-Access/VMC-Scalability-for-IAP-VPN-and-Multizone/td-p/433954#

     

    Thank you very much.



  • 23.  RE: Virtual Mobility Controller and IAP-VPN

    MVP GURU
    Posted Mar 09, 2020 05:52 AM

    for me, it is the Server Cert



  • 24.  RE: Virtual Mobility Controller and IAP-VPN

    Posted Mar 09, 2020 06:00 AM

    Thank you very much. Pity the config is not more straight forward on cert configuration for the VPN connection. I will give it a try as soon as the customer green lights the test.



  • 25.  RE: Virtual Mobility Controller and IAP-VPN

    Posted Sep 11, 2020 12:30 AM

    Hi JoseAngel, were you able to get this working? 

     

    Can you take me through what you did?

     

    Scott



  • 26.  RE: Virtual Mobility Controller and IAP-VPN

    Posted May 28, 2023 03:05 PM

    Old thread, but I'm trying to do something similar. 
    Trying to setup a lab iap-vpn to virtual controller using public certificate from letsencrypt. 
    But haven't got it working , is activate required ? Any details on where the cert i pushed and configured ? Seems like it should be doable manually ?

    I've added a cert to IAP tunnel use here:

    and added a cert to the vmc here:



    Still I get this in controller errorlog:
    May 28 21:01:29 2023 <isakmpd 103061>  <5426> <ERRS> |ike|   IKE_CUSTOM_useCert: can't find Server-Cert

    Any tips or do you think this isn't going to work ? It's just for a lab for me, so no need to be supported or stable :) 


    Original Message


  • 27.  RE: Virtual Mobility Controller and IAP-VPN

    MVP EXPERT
    Posted Jun 05, 2023 09:19 AM

    It has changed slightly now, with an IAP to Virtual Mobility Controller VPAN you need to have the IAP registered with Activate and then the certificate is uploaded to Activate via the API Call. Activate will then push the certificate to the IAP.

    API to add TA certificate-example


    Original Message


  • 28.  RE: Virtual Mobility Controller and IAP-VPN

    Posted Aug 01, 2023 07:50 AM

    Have you done this ? I cannot get it to work , not sure how to do the whole process tbh.


    Original Message


  • 29.  RE: Virtual Mobility Controller and IAP-VPN

    EMPLOYEE
    Posted Aug 01, 2023 07:27 PM

    AFAIK, vmc supports IAP-VPN deployment



    ------------------------------
    If my post was useful accept solution and/or give kudos.
    Any opinions expressed here are solely my own and not necessarily that of HPE or Aruba.
    ------------------------------

    Original Message