Dynamic Site-to-Site VPN between Mobility Controllers

By ckokstar posted Sep 17, 2014 05:37 PM


Dynamic Site-to-Site VPN between Mobility Controllers



Site-to-site VPN allows sites at different physical locations to securely communicate with each other over a Layer-3 network such as the Internet. You can use Aruba controllers instead of VPN concentrators to connect the sites. Or, you can use a VPN concentrator at one site and a controller at the other site.


ArubaOS supports site-to-site VPNs with two statically addressed controllers, or with one static and one dynamically addressed controller. By default, site-to-site VPN uses IKE Main-mode with Pre-Shared-Keys to authenticate the IKE SA. This method uses the IP address of the peer, and therefore does not work for dynamically addressed peers.

To support site-site VPN with dynamically addressed devices, you must enable IKE Aggressive-Mode with

Authentication based on a Pre-Shared-Key. The Aruba controller with a dynamic IP address must be configured to be the initiator of IKE Aggressive-mode for Site-Site VPN, while the controller with a static IP address must be configured as the responder of IKE Aggressive-mode.


Platform Tested

Aruba Mobility Controller 3400 running AOS build 38660





Lab Topology

Configuration Notes

In most deployment, the Mobility Controller (MC) are likely installed behind firewalls and Intrusion Detection or Protection devices. The policy on these devices should allow UDP 4500 to pass through as this is required for the VPN traffic.


[1] User Guide : Aruba OS 6.3 User Guide - Working with Site-to-Site VPNs