Wireless Access

Reply
Occasional Contributor I

aruba rap 205H IPSec with aruba ACR license

Hi,

I have a problem with aruba RAP 205H IPSec tunnel while using aruba ACR license and spesific IKE Policy.
So, ACR license is installed to 7010 controller and I have configured the spesific IKE Policy with these setting

IKE V2
Encryption AES256
Hash Algorithm SHA2-256-128
Authentication RSA
Diffie Hellmann Group Group20
PRF PRF-HMAC-SHA256
Life Time Default

 

I have noticed that if I use Hash Algorithm SHA2-256-128 insted of SHA1-96 the RAP cannot build the IPSec tunnel to the controller.
Also, if I use PRF-HMAC-SHA256 insted of PRF-HMAC-SHA1 the RAP cannot build the IPSec tunnel to the controller.

Am I missing something there or is there some limitations that RAP 205H cannot operate IPSec tunnel with those setting?

 

Here is a working one:
(nuuskamuikkunen) #show crypto ipsec sa peer 81.20.229.136

 Initiator IP: 81.20.229.136
 Responder IP: 10.206.134.131
 Initiator: No
 SA Creation Date: Thu Nov 30 13:53:52 2017
 Life secs: 7200
 Exchange Type: IKE_SA (IKEV2)
 Phase2 Transform:Encryption Alg: AES 256 Authentication Alg: SHA1
 Encapsulation Mode Tunnel
 IP Compression Disabled
 PFS: no
 IN SPI: ABE98500, OUT SPI: 98B58D00
 CFG Inner-IP 1.1.1.24
 Responder IP: 10.206.134.131


(nuuskamuikkunen) #show crypto isakmp sa peer 81.20.229.136

 Initiator IP: 81.20.229.136
 Responder IP: 10.206.134.131
 Initiator: No
 Initiator cookie:986718f9510323dd Responder cookie:793b2369bf0e2cdb
 SA Creation Date: Thu Nov 30 13:53:52 2017
 Life secs: 28800
 Initiator Phase1 ID: CN=DN0067150::00:0b:86:f7:54:ca
 Responder Phase1 ID: CN=CG0015514::00:0b:86:df:81:60 L=SW
 Exchange Type: IKE_SA (IKEV2)
 Phase1 Transform:EncrAlg:AES256 HashAlg:HMAC_SHA1_96 DHGroup:20
 Authentication Method: RSA Digital Signature 2048-bits
 CFG Inner-IP 1.1.1.24
 IPSEC SA Rekey Number: 0
 Aruba AP

 

Here is the non working one:

(nuuskamuikkunen) #show crypto ipsec sa peer 81.20.229.136

% No active IPSEC SA for 81.20.229.136

(nuuskamuikkunen) #show crypto isakmp sa peer 81.20.229.136

 Initiator IP: 81.20.229.136
 Responder IP: 10.206.134.131
 Initiator: No
 Initiator cookie:0acba72279694d9e Responder cookie:1b6824b4e76e589d
 SA Creation Date: Mon Oct 16 00:04:39 2017
 Life secs: 28800
 Initiator Phase1 ID:
 Responder Phase1 ID:
 Exchange Type: IKE_SA (IKEV2)
 Phase1 Transform:
 IPSEC SA Rekey Number: 0


(nuuskamuikkunen) #

 

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: