How do I setup certificate based IPSEC between MD and VirtualMM?

By esupport posted Aug 11, 2020 08:46 AM

  
Requirement:

Introduction

Typically, the ipsec connection between a virtual MM and hardware MD is that of a PSK VPN.  The initial setup wizard on the MD when asking if the MM is virtual then only presents with the option beings [IPSECwithPSK] or [IPSECwithMAC].

This outlines how to have the MD connect to the vMM using certificate based IPSEC.



Solution:

Using factory certs and MM self-signed cert

This assumes that the vMM and MD are already connected and up using PSK-IPSEC.

Since the vMM does not have a TPM and hence no factory cert it will use it’s own self-signed certificate to secure any cert-based IPSEC communications.

On the CLI on the MM, run the following command.

(ArubaMM) [mm] #crypto pki export ca-cert pem self-signed console

This will print the contents of the certificate in pem format.  Copy this into a file and save locally.

On the vMM GUI import this certificate into the MD as a TrustedCA.


On the MD in the CLI ensure that you can see this certificate listed.

(Aruba7010) #show crypto-local pki trustedCA

Certificates

------------

Name            Original Filename  Reference Count  Expired

--------------  -----------------  ---------------  -------

MM.self         MM.self.pem        0                No

 

We need now the mac.addr of both the vMM and then MD.

On the vMM this is the mgmt port mac.addr.

 

(ArubaMM) [mm] #show inventory

Mgmt Port HW MAC Addr       : 00:0C:29:15:8B:6F

HW MAC Addr                 : 00:0C:29:15:8B:79

Product key#                : MM6158B6F

Activate license            : Not Applicable

Active device type            : MM-VA-500

 

On the MD this is

(Aruba7010) #show inventory

Supervisor Card slot          : 0

System Serial#                : CG0002689 (Date:07/19/14)

CPU Card Serial#              : AE28018568 (Date:07/18/14)

CPU Card Assembly#            : 2010184C

CPU Card Revision             : (Rev:06.00)

SC Model#                     : Aruba7010

HW MAC Addr                   : 00:0b:86:9a:07:97 to 00:0b:86:9a:07:b6

 

GUI Configuration

In the GUI navigate to the MD --> Configuration --> Controller and enter the details as below. 

On applying the change, the MD will reboot.

 

Whilst the MD is rebooting we need to add the MD as a local-custom-cert entry.

Navigate to the MM level --> Configuration --> Controllers and add new.

CLI configuration

On CLI Navigate to the node level.

(ArubaMM) [00:0b:86:9a:07:97] (config) # masterip <master-ip> ipsec-custom-cert master-mac-1-c <MM-ma> ca-cert MM.self server-cert factory-cert interface vlan <controller-vlan>

On write memory the MD will reboot.

Navigate to /MM level

(ArubaMM) [mm] (config) # local-custom-cert local-mac <MD-mac> ca-cert factory-ca-cert server-cert self-signed-field-cert

 

Once the MD has rebooted it will connect to the vMM using certificates.  Check the isakmp sa to confirm this.

 

(ArubaMM) [mm] #show crypto isakmp sa peer 192.168.236.67

 Initiator IP: 192.168.236.67

 Responder IP: 172.17.12.10

 Initiator: No

 Initiator cookie:fa043faeaa830d43 Responder cookie:71e3f31734ac694d

 SA Creation Date: Wed Aug  5 14:16:34 2020

 Life secs: 28800

 Initiator Phase1 ID: CN=CG0002689::00:0b:86:9a:07:97 L=SW

 Responder Phase1 ID: CN=AOS::00:0C:29:15:8B:6F

 Exchange Type: IKE_SA (IKEV2)

 Phase1 Transform:EncrAlg:AES128 HashAlg:HMAC_SHA1_96 DHGroup:2

 Authentication Method: RSA Digital Signature 2048-bits

 IPSEC SA Rekey Number: 0

 Ipsec-map name: default-local-master-ipsecmap-00:0b:86:9a:07:97

 

Using custom certificates

 

This assumes that the same CA is signing both certs for the MM and MD.

On both the MM and MD create a CSR for the desired certificate type, RSA or EC.  Alternatively, create a privatekey and CSR offline using OpenSSL. 

When generating the CSR the CN must be the mac address of the device and should match the mac.addr that is entered in the commands below.

For the MM the mac should be the mgmt. port mac.addr, however if there is also a standbyMM you may want to set the CN to be a fake mac as per the below example.

 

For MM - CN=01:01:01:01:01:01

For the MD – CN=<Serial No>::<mac.addr>

      Example CN=CG0002689::00:0b:86:9a:07:97

 

Once signed certificates have been generated, upload these certificates to the respective MM or MD as server certs.  Ensure that the root CA cert that issued the certs is also uploaded on both as TrustedCA certs.  The following example will use RSA certificates.

GUI Configuration

The process is broadly the same as using self-signed/factory certificates.

In GUI on MM navigate to the device level --> Configuration --> Controller and enter the relevant details.

 

On applying the config, the MD will reboot.

 

To add the local-custom-cert entry to MM, in GUI navigate to the MM level --> Configuration --> Controllers and add new.

 

 

CLI Configuration

Navigate to the device level and change the masterip config.

(ArubaMM) [00:0b:86:9a:07:97] (config) #masterip <master-ip> ipsec-custom-cert master-mac-1-c <master-mac-in-CN> ca-cert <ca-cert-name> server-cert <server-cert-name> interface vlan <vlanid>

On write memory the MD will reboot.

Navigate to the /MM level and enter the following.

(ArubaMM) [mm] (config) #local-custom-cert local-mac <local-mac> ca-cert <ca-cert-name> server-cert <mm-server-cert>

 

After the MD reboots it will then connect to the MM using custom certificates.

(ArubaMM) [mm] #show crypto isakmp sa peer 192.168.236.67

 Initiator IP: 192.168.236.67

 Responder IP: 172.17.12.10

 Initiator: No

 Initiator cookie:209c4aabba702dd1 Responder cookie:88c8a73defac9749

 SA Creation Date: Fri Aug  7 10:18:45 2020

 Life secs: 28800

 Initiator Phase1 ID: C=GB S=England L=London O=LAB CN=CG0002689::00:0b:86:9a:07:97 E=mclarke@hpe.com

 Responder Phase1 ID: C=GB S=England L=London O=LAB CN=01:01:01:01:01:01 E=mclarke@hpe.com

 Exchange Type: IKE_SA (IKEV2)

 Phase1 Transform:EncrAlg:AES128 HashAlg:HMAC_SHA1_96 DHGroup:2

 Authentication Method: RSA Digital Signature 2048-bits


Configuration:

see above



Verification

The following commands are useful for troubleshooting.

 

show crypto isakmp sa peer <peer-ip>

show crypto ipsec sa peer <peer-ip>

logging security process crypto level debug

show log security all

 

To show or verify certificates on the controller.

show crypto-local pki TrustedCA

show crypto-local pki servercert

 

 

0 comments
5 views