Wireless Access

hello airheads,

does anyone know if you can set up a ipsec tunnel between two controllers. NOT a site-site but need to map a VLAN from head office to a controller network. I know you can do a GRE tunnel but that has problems across NATted boundaries.

Hey, does the below answer your question? 

http://www.arubanetworks.com/techdocs/ArubaOS_64x_WebHelp/Content/ArubaFrameStyles/VPNs/Site_to_Site_VPNs.htm

thanks for getting back.

i'm not sure if it does help.

That refers to site-site vpn's.

what i'm looking for is layer 2

I've been using gre tunnels to do this.

Have a look at http://community.arubanetworks.com/t5/Wireless-Access/L2-GRE-keepalive/td-p/188868 

thanks for getting back.

GRE was my first thought but i remember  a few years back that there was a problem with Aruba GRE tunnels over NATted boundary.

was that something to do with the keep-alives?

Appologies, I should have read your entire post.

Not sure with GRE over NAT, might very well be problematic. Never had to do this so don't have anything usefull to tell you here.

@Craig Syme's sollution seems workable. Create a site to site VPN and set up the gre tunnel through that?

Hey, GRE will not survive a NAT boundary so you will need to look at IPSEC. I believe IPSEC should work as you can simply route the VLAN via the tunnel.

ok thank you,

just wanted to know how do you set up the IPSEC tunnel between two controllers?

Hey, the link previously posted details the configuration steps. If not you can find it in each of the User Guides for the respective ArubaOS release.

i read that but isn't that to do with site-site vpn's?

couldn't see how to do what i was trying to achieve.

Hi Pete,

You can setup a VPN tunnel between the controllers first and within that tunnel you can create a L2 GRE tunnel to transport the vlan between the sites.

Jonas

thanks Jonas for getting back to me.

i guess this is something i can try in our lab.

Is it setup you have tried?

Pete,

Yes, I have tried it and used it in production deployments too.

/Jonas

thanks Jonas,

do you have a config doc for this?

Hi Pete,

We do have a solution for this in Aruba Solution Exchange.

https://ase.arubanetworks.com/solutions/id/116

This will help you create the config and also have it documented :)

/Jonas

this certainly looks like what i need.

can i just clarify:-# in the configuration notes below it says set up the GRE tunnel with the same Source/Destination networks as IPSEC.

Is this right?

CONFIGURATION NOTES

Site-to-site IPSEC vpn is configured with source/destination networks on the private Vlans. L2 GRE is configured with the same Source/Destination networks as IPSEC. 

At headquarter, Controller also has private/public Vlans. Guest users in a private vlan. Guest Vlan is extended to Guest anchor controller through L2 GRE.

At Datacenter/DMZ, guest anchor controller has both private/public Vlans.

Yes, you should build the l2 gre tunnel between the inner IPs of the IPSEC, so in that case it is correct. So you should not for example set source/destinations network for the gre as the network tunneled over. controller dont care . Depending on what you are trying to achive, you then redirect traffic into that tunnel based on role or similar. I think it was a role config for redirecting traffic into the tunnel in the solution. 

/Jonas

thanks Jonas,

here's my thinking:-

Site-site between controllers with the public IP addresses of the headquaters and DMZ as the destination ip.

GRE tunnel between the controller provate ip addresses.

how does this sound?

pete

Jonas,

tried out that solution works just fine thanks for your help.

cheers

pete

Please accept the best post(s) as the solution then please. Helps those that come after :)