Site-to-site VPN allows sites at different physical locations to securely communicate with each other over a Layer-3 network such as the Internet. You can use Aruba controllers instead of VPN concentrators to connect the sites. Or, you can use a VPN concentrator at one site and a controller at the other site.
ArubaOS supports site-to-site VPNs with two statically addressed controllers, or with one static and one dynamically addressed controller. By default, site-to-site VPN uses IKE Main-mode with Pre-Shared-Keys to authenticate the IKE SA. This method uses the IP address of the peer, and therefore does not work for dynamically addressed peers.
To support site-site VPN with dynamically addressed devices, you must enable IKE Aggressive-Mode with
Authentication based on a Pre-Shared-Key. The Aruba controller with a dynamic IP address must be configured to be the initiator of IKE Aggressive-mode for Site-Site VPN, while the controller with a static IP address must be configured as the responder of IKE Aggressive-mode.
Aruba Mobility Controller 3400 running AOS 126.96.36.199 build 38660
In most deployment, the Mobility Controller (MC) are likely installed behind firewalls and Intrusion Detection or Protection devices. The policy on these devices should allow UDP 4500 to pass through as this is required for the VPN traffic.
 User Guide : Aruba OS 6.3 User Guide - Working with Site-to-Site VPNs
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2020 Hewlett Packard Enterprise Development LPAll Rights Reserved.