Controllerless Networks

I'm trying to get my standalone IAP to VPN home to my strongswan implementation on pfSense, but I cannot get it to use the proper certificates.

I have uploaded the proper CA authority that does my cert signing, I have uploaded a client cert that I use for Tunneldata, but no matter what I do, it still attempts to connect using the built-in TPM Device certificate which is not trusted in my Strongswan IPsec server.

I have then tried creating a custom VPN profile using "vpn tunnel-profile <profilename>", where you can issue a "use-custom-cert" command...

But this seems like rather unfinished work in the OS. I cannot specify which cert to use, and even though I have setup to profile correctly, the rapper process dies several times a minute trying to establish the VPN connection. It never gets so far I actually see any connects on the other end.

Any ideas? Running Instant OS 8.9.0.0 on a Aruba IAP-203R

------------------------------
Tue Madsen
------------------------------

Here's some output from the debug log:

Nov 15 15:33:37 cli[5123]: [primary tunnel] ipsec_tunnel_connect(1764): primary tunnel, cli_local_ip 10.40.168.206 netmask 255.0.0.0
Nov 15 15:33:37 cli[5123]: [primary tunnel] addroute(602):Dst 81856705 mask 0 gw 100000a
Nov 15 15:33:37 cli[5123]: [primary tunnel] set_route_af: ioctl (SIOCADDRT) failed error no(17)
Nov 15 15:33:37 cli[5123]: [primary tunnel] ipsec_tunnel_connect(1785): add route table destination X.XXX.XXX.XXX, gw 10.0.0.1, interface ppp0.
Nov 15 15:33:37 cli[5123]: [primary tunnel] Starting rapper with lifetime p1 = 28000 p2 = 7200
Nov 15 15:33:37 cli[5123]: [primary tunnel] Starting IAP rapper 0 to X.XXX.XXX.XXX:8423 attmpt 0 for profile tunnel
Nov 15 15:33:37 cli[5123]: [primary tunnel] lauch rapper command: rapper -c X.XXX.XXX.XXX -d 1 -C -b 1 -i ppp0 -x -G 0 -r 8423 -l 28000 -L 7200 -w 1 -o /tmp/rapper-X.XXX.XXX.XXX.txt
Nov 15 15:33:37 cli[5123]: [primary tunnel] Populate the PID 8336 in file /tmp/rapper_ppp_pid_dc_1
Nov 15 15:33:37 cli[5123]: [primary tunnel] tunnel_stop_up_timer(731): stop up timer.
Nov 15 15:33:37 cli[5123]: [primary tunnel] tunnel_start_up_timer(930): tunnel primary tunnel start up timer (30 secs)
Nov 15 15:33:37 cli[5123]: [primary tunnel] tunnel_stop_up_timer(731): stop up timer.
Nov 15 15:33:38 cli[5123]: send_register_local,member send defaultcert checksum at heartbeat,cs_defaultcert_csum= 770462176
Nov 15 15:33:38 cli[5123]: recv_heartbeat_local,compare defaultcert checksum,cs_defaultcert_csum= 770462176 ,received defaultcert_csum =770462176
Nov 15 15:33:38 cli[5123]: recv_heartbeat_local, AP(127.0.0.1) config has taken effect
Nov 15 15:33:38 cli[5123]: receive ap 127.0.0.1 with drt status 0
Nov 15 15:33:42 cli[5123]: ipsec_tunnel_monitor_action(2961): process rapper died, pid 8336.
Nov 15 15:33:48 sapd[5142]: sapd_papi_rcv_cb: Received AMAPI Packet from 127.0.0.1:24891 to 127.0.0.1:7968
Nov 15 15:33:48 sapd[5142]: executeCommandObject: Executing AMAPI Command Type: 100
Nov 15 15:33:48 sapd[5142]: sapd_papi_rcv_cb: Received AMAPI Packet from 127.0.0.1:24891 to 127.0.0.1:7968
Nov 15 15:33:48 sapd[5142]: executeCommandObject: Executing AMAPI Command Type: 100
Nov 15 15:33:49 cli[5123]: send_register_local,member send defaultcert checksum at heartbeat,cs_defaultcert_csum= 770462176
Nov 15 15:33:49 cli[5123]: recv_heartbeat_local,compare defaultcert checksum,cs_defaultcert_csum= 770462176 ,received defaultcert_csum =770462176
Nov 15 15:33:49 cli[5123]: recv_heartbeat_local, AP(127.0.0.1) config has taken effect
Nov 15 15:33:49 cli[5123]: receive ap 127.0.0.1 with drt status 0
Nov 15 15:33:53 cli[5123]: ipsec_tunnel_monitor_action(2961): process rapper died, pid 8336.
Nov 15 15:33:56 sapd[5142]: sapd_papi_rcv_cb: Received AMAPI Packet from 127.0.0.1:24891 to 127.0.0.1:7968
Nov 15 15:33:56 sapd[5142]: executeCommandObject: Executing AMAPI Command Type: 100

It makes little sense to me, but my hunch is its happening because it cannot pick/find the certificate file to use when attempting the connection.
In the vpn-brief log files i just have a million lines of

2021-11-15 15:51:46 [primary tunnel] name.mydomain.dk resolved peer ip address X.XXX.XXX.XXX.

and in the vpn-tunnel log files a million lines of:
2021-11-15 15:56:50 ipsec_tunnel_monitor_action(2961): process rapper died, pid 24067.
2021-11-15 15:56:59 ipsec_tunnel_monitor_action(2961): process rapper died, pid 24067.
2021-11-15 15:57:04 ipsec_tunnel_monitor_action(2961): process rapper died, pid 24067.
2021-11-15 15:57:10 ipsec_tunnel_monitor_action(2961): process rapper died, pid 24467.
2021-11-15 15:57:15 ipsec_tunnel_monitor_action(2961): process rapper died, pid 24467.
2021-11-15 15:57:20 ipsec_tunnel_monitor_action(2961): process rapper died, pid 24467.
2021-11-15 15:57:25 ipsec_tunnel_monitor_action(2961): process rapper died, pid 24467.
2021-11-15 15:57:34 ipsec_tunnel_monitor_action(2961): process rapper died, pid 24467.
2021-11-15 15:57:39 ipsec_tunnel_monitor_action(2961): process rapper died, pid 24467.
2021-11-15 15:57:45 ipsec_tunnel_monitor_action(2961): process rapper died, pid 24856.
2021-11-15 15:57:50 ipsec_tunnel_monitor_action(2961): process rapper died, pid 24856.
2021-11-15 15:57:55 ipsec_tunnel_monitor_action(2961): process rapper died, pid 24856.
2021-11-15 15:58:00 ipsec_tunnel_monitor_action(2961): process rapper died, pid 24856.
2021-11-15 15:58:10 ipsec_tunnel_monitor_action(2961): process rapper died, pid 24856.
2021-11-15 15:58:15 ipsec_tunnel_monitor_action(2961): process rapper died, pid 24856.
2021-11-15 15:58:20 ipsec_tunnel_monitor_action(2961): process rapper died, pid 25247.
2021-11-15 15:58:25 ipsec_tunnel_monitor_action(2961): process rapper died, pid 25247.
2021-11-15 15:58:30 ipsec_tunnel_monitor_action(2961): process rapper died, pid 25247.
2021-11-15 15:58:35 ipsec_tunnel_monitor_action(2961): process rapper died, pid 25247.
2021-11-15 15:58:45 ipsec_tunnel_monitor_action(2961): process rapper died, pid 25247.

I have substituted my domainname and resolved Ip address in these logs, but they are both correctly mentioned in the logs.

------------------------------
Tue Madsen
------------------------------

Original Message:
Sent: Nov 15, 2021 09:45 AM
From: Tue Madsen
Subject: IAP VPN and custom certs

I'm trying to get my standalone IAP to VPN home to my strongswan implementation on pfSense, but I cannot get it to use the proper certificates.

I have uploaded the proper CA authority that does my cert signing, I have uploaded a client cert that I use for Tunneldata, but no matter what I do, it still attempts to connect using the built-in TPM Device certificate which is not trusted in my Strongswan IPsec server.

I have then tried creating a custom VPN profile using "vpn tunnel-profile <profilename>", where you can issue a "use-custom-cert" command...

But this seems like rather unfinished work in the OS. I cannot specify which cert to use, and even though I have setup to profile correctly, the rapper process dies several times a minute trying to establish the VPN connection. It never gets so far I actually see any connects on the other end.

Any ideas? Running Instant OS 8.9.0.0 on a Aruba IAP-203R

------------------------------
Tue Madsen
------------------------------

I don't think IAP VPN has been designed or tested towards third-party VPN solutions. It typically has a controller as VPNC to connect to, as it does more than just IPSec, like L2-GRE inside the IPSec.

You may check with Aruba Support if your setup is supported or will work.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Nov 15, 2021 09:45 AM
From: Tue Madsen
Subject: IAP VPN and custom certs

I'm trying to get my standalone IAP to VPN home to my strongswan implementation on pfSense, but I cannot get it to use the proper certificates.

I have uploaded the proper CA authority that does my cert signing, I have uploaded a client cert that I use for Tunneldata, but no matter what I do, it still attempts to connect using the built-in TPM Device certificate which is not trusted in my Strongswan IPsec server.

I have then tried creating a custom VPN profile using "vpn tunnel-profile <profilename>", where you can issue a "use-custom-cert" command...

But this seems like rather unfinished work in the OS. I cannot specify which cert to use, and even though I have setup to profile correctly, the rapper process dies several times a minute trying to establish the VPN connection. It never gets so far I actually see any connects on the other end.

Any ideas? Running Instant OS 8.9.0.0 on a Aruba IAP-203R

------------------------------
Tue Madsen
------------------------------

Yeah I know that's what it is designed for. I was hoping to test/check if it could do regular site-2-site IPsec VPN as well.

Since it is supported in the ArubaOS controllers, I was hoping some of the same code was present in instant so it would actually work.

------------------------------
Tue Madsen
------------------------------

Original Message:
Sent: Nov 16, 2021 04:05 AM
From: Herman Robers
Subject: IAP VPN and custom certs

I don't think IAP VPN has been designed or tested towards third-party VPN solutions. It typically has a controller as VPNC to connect to, as it does more than just IPSec, like L2-GRE inside the IPSec.

You may check with Aruba Support if your setup is supported or will work.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Nov 15, 2021 09:45 AM
From: Tue Madsen
Subject: IAP VPN and custom certs

I'm trying to get my standalone IAP to VPN home to my strongswan implementation on pfSense, but I cannot get it to use the proper certificates.

I have uploaded the proper CA authority that does my cert signing, I have uploaded a client cert that I use for Tunneldata, but no matter what I do, it still attempts to connect using the built-in TPM Device certificate which is not trusted in my Strongswan IPsec server.

I have then tried creating a custom VPN profile using "vpn tunnel-profile <profilename>", where you can issue a "use-custom-cert" command...

But this seems like rather unfinished work in the OS. I cannot specify which cert to use, and even though I have setup to profile correctly, the rapper process dies several times a minute trying to establish the VPN connection. It never gets so far I actually see any connects on the other end.

Any ideas? Running Instant OS 8.9.0.0 on a Aruba IAP-203R

------------------------------
Tue Madsen
------------------------------