What is decrypt-tunnel mode and how does it work?

By AnandKumar Sukumar posted Jul 03, 2014 12:41 PM


Product and Software: This article applies to all Aruba controllers and APs running ArubaOS version 5.x and later.


Remote and campus APs can be configured in decrypt-tunnel mode. When an AP uses decrypt-tunnel forwarding mode, that AP decrypts and decapsulates all 802.11 frames from a client and sends the 802.3 frames through the GRE tunnel to the controller. The controller then applies firewall policies to the user traffic. When the controller sends traffic to a client, the controller sends 802.3 traffic through the GRE tunnel to the AP. The AP then converts that traffic to encrypted 802.11 and forwards it to the client. This forwarding mode allows a network to utilize the encryption and decryption capacity of the AP while reducing the demand for processing resources on the controller. APs in decrypt-tunnel forwarding mode also manage all 802.11 association requests and responses and they process all 802.11e and 802.11k action frames.


APs in decrypt-tunnel mode do have some limitations that are not present for APs in regular tunnel forwarding mode. You must enable the control plane security feature on the controller before you configure campus APs in decrypt-tunnel forward mode. High-throughput APs in decrypt-tunnel mode do not support de-aggregation of MAC Service Data Units (AMSDUs).


Note: Virtual APs in bridge or split-tunnel mode using static WEP should use key slots.


Decrypt-tunnel mode is similar to tunnel mode in that all traffic transits back to the mobility controller. The difference is that the decryption of user traffic occurs on the AP before the traffic is encapsulated in GRE. This mode is primarily used to allow inline security appliances to view traffic as it flows through the network before it is filtered by the mobility controller. Users of this functionality include banking and government organizations with strict data recording mandates. Decrypt-tunnel mode can also be used for debugging by allowing traffic to be captured and inspected between the AP and the mobility controller.


To enable decrypt-tunnel mode, CPsec must be enabled in the network. CPsec protects the encryption keys as they move between the controller and the AP.