Wireless Access

Hi!

I'm trying to make a setup where all my traffic from clients goes through ipsec vpn to our datacenter.
From MD on branch to central firewall (ipsec between md and the firewall).

I've done a next-hop route and and acl on my vlan interfaces. I get traffic to my testclient.
The problem is the source traffic from the md itself. Since we use clearpass as RADIUS / TACACS we want the traffic from our mgmt-vlan to go trough the tunnel aswell. 

But I cannot get this to work.
I've tried manually adding a route:

S 10.10.10.10/32 [0/1] ipsec map central-hub

I've tried "force tunnelmode" makes no difference.
ipsecmap:
Crypto Map Template"central-hub" 100
IKE Version: 1
IKEv1 Policy: 20
Security association lifetime seconds: xx
Security association lifetime kilobytes: N/A
PFS (Y/N): Y xxx
Transform sets=xxx
Peer gateway: x.x.x.x
Monitor IP: 0.0.0.0
Interface: VLAN 1
Source network: y.y.y.y/255.255.248.0
Destination network: ANY
Pre-Connect (Y/N): Y
Client NAT mode (Y/N): N
Tunnel Trusted (Y/N): Y
Forced NAT-T (Y/N): N
Uplink Failover (Y/N): N
Force-Tunnel-Mode (Y/N): Y
Uplink LoadBalance (Y/N): N
IP Compression (Y/N): N

Any pointers on how to make this work ?

Is the MD's management address private address space?  Would that private address space be routable to your datacenter?  Do you have a route from your datacenter back to your MD's subnet via that ipsec connection?

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------

Original Message:
Sent: Nov 03, 2020 10:37 AM
From: Daniel Federstedt
Subject: ArubaOS8 Site-to-site vpn

Hi!

I'm trying to make a setup where all my traffic from clients goes through ipsec vpn to our datacenter.
From MD on branch to central firewall (ipsec between md and the firewall).

I've done a next-hop route and and acl on my vlan interfaces. I get traffic to my testclient.
The problem is the source traffic from the md itself. Since we use clearpass as RADIUS / TACACS we want the traffic from our mgmt-vlan to go trough the tunnel aswell. 

But I cannot get this to work.
I've tried manually adding a route:

S 10.10.10.10/32 [0/1] ipsec map central-hub

I've tried "force tunnelmode" makes no difference.
ipsecmap:
Crypto Map Template"central-hub" 100
IKE Version: 1
IKEv1 Policy: 20
Security association lifetime seconds: xx
Security association lifetime kilobytes: N/A
PFS (Y/N): Y xxx
Transform sets=xxx
Peer gateway: x.x.x.x
Monitor IP: 0.0.0.0
Interface: VLAN 1
Source network: y.y.y.y/255.255.248.0
Destination network: ANY
Pre-Connect (Y/N): Y
Client NAT mode (Y/N): N
Tunnel Trusted (Y/N): Y
Forced NAT-T (Y/N): N
Uplink Failover (Y/N): N
Force-Tunnel-Mode (Y/N): Y
Uplink LoadBalance (Y/N): N
IP Compression (Y/N): N

Any pointers on how to make this work ?

Hi!

Yeah, the IP im testing this out with is on the same subnet as my testclient. 
So for example if my testclient ip is: 10.10.20.10/24 it uses the MD as default gw with ip: 10.10.20.1/24 .
So I can reach the client on that subnet, but when I for example try to do ping with source <vlan id for that subnet> it doesn't work.
So the client from the exact same subnet works fine, but for example the dhcp-relay doesn't work since the controllers source ip on the same subnet can't reach datacenter. 
I haven't done any packetcapture yet so not 100% sure if the traffic does go into the tunnel or not.

Is there any manual / example or anything describing how to do this correctly ?
Original Message:
Sent: Nov 03, 2020 12:50 PM
From: Colin Joseph
Subject: ArubaOS8 Site-to-site vpn

Is the MD's management address private address space?  Would that private address space be routable to your datacenter?  Do you have a route from your datacenter back to your MD's subnet via that ipsec connection?

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Nov 03, 2020 10:37 AM
From: Daniel Federstedt
Subject: ArubaOS8 Site-to-site vpn

Hi!

I'm trying to make a setup where all my traffic from clients goes through ipsec vpn to our datacenter.
From MD on branch to central firewall (ipsec between md and the firewall).

I've done a next-hop route and and acl on my vlan interfaces. I get traffic to my testclient.
The problem is the source traffic from the md itself. Since we use clearpass as RADIUS / TACACS we want the traffic from our mgmt-vlan to go trough the tunnel aswell. 

But I cannot get this to work.
I've tried manually adding a route:

S 10.10.10.10/32 [0/1] ipsec map central-hub

I've tried "force tunnelmode" makes no difference.
ipsecmap:
Crypto Map Template"central-hub" 100
IKE Version: 1
IKEv1 Policy: 20
Security association lifetime seconds: xx
Security association lifetime kilobytes: N/A
PFS (Y/N): Y xxx
Transform sets=xxx
Peer gateway: x.x.x.x
Monitor IP: 0.0.0.0
Interface: VLAN 1
Source network: y.y.y.y/255.255.248.0
Destination network: ANY
Pre-Connect (Y/N): Y
Client NAT mode (Y/N): N
Tunnel Trusted (Y/N): Y
Forced NAT-T (Y/N): N
Uplink Failover (Y/N): N
Force-Tunnel-Mode (Y/N): Y
Uplink LoadBalance (Y/N): N
IP Compression (Y/N): N

Any pointers on how to make this work ?

We don't have instructions for individual firewalls.  Next-Hop-Route  and ACLs on VLANs is only for client traffic that you want to route traffic away from their default gateway, and not for infrastructure devices like your MD. 

Your MD should follow the routing on the "show ip route" on the MD to get to your TACACS/Radius Server.  Your firewall  and your networks on the other side should also have a route to the MD through the firewall.  It should be that straightforward.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------

Original Message:
Sent: Nov 04, 2020 02:00 AM
From: Daniel Federstedt
Subject: ArubaOS8 Site-to-site vpn

Hi!

Yeah, the IP im testing this out with is on the same subnet as my testclient. 
So for example if my testclient ip is: 10.10.20.10/24 it uses the MD as default gw with ip: 10.10.20.1/24 .
So I can reach the client on that subnet, but when I for example try to do ping with source <vlan id for that subnet> it doesn't work.
So the client from the exact same subnet works fine, but for example the dhcp-relay doesn't work since the controllers source ip on the same subnet can't reach datacenter. 
I haven't done any packetcapture yet so not 100% sure if the traffic does go into the tunnel or not.

Is there any manual / example or anything describing how to do this correctly ?
Original Message:
Sent: Nov 03, 2020 12:50 PM
From: Colin Joseph
Subject: ArubaOS8 Site-to-site vpn

Is the MD's management address private address space?  Would that private address space be routable to your datacenter?  Do you have a route from your datacenter back to your MD's subnet via that ipsec connection?

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Nov 03, 2020 10:37 AM
From: Daniel Federstedt
Subject: ArubaOS8 Site-to-site vpn

Hi!

I'm trying to make a setup where all my traffic from clients goes through ipsec vpn to our datacenter.
From MD on branch to central firewall (ipsec between md and the firewall).

I've done a next-hop route and and acl on my vlan interfaces. I get traffic to my testclient.
The problem is the source traffic from the md itself. Since we use clearpass as RADIUS / TACACS we want the traffic from our mgmt-vlan to go trough the tunnel aswell. 

But I cannot get this to work.
I've tried manually adding a route:

S 10.10.10.10/32 [0/1] ipsec map central-hub

I've tried "force tunnelmode" makes no difference.
ipsecmap:
Crypto Map Template"central-hub" 100
IKE Version: 1
IKEv1 Policy: 20
Security association lifetime seconds: xx
Security association lifetime kilobytes: N/A
PFS (Y/N): Y xxx
Transform sets=xxx
Peer gateway: x.x.x.x
Monitor IP: 0.0.0.0
Interface: VLAN 1
Source network: y.y.y.y/255.255.248.0
Destination network: ANY
Pre-Connect (Y/N): Y
Client NAT mode (Y/N): N
Tunnel Trusted (Y/N): Y
Forced NAT-T (Y/N): N
Uplink Failover (Y/N): N
Force-Tunnel-Mode (Y/N): Y
Uplink LoadBalance (Y/N): N
IP Compression (Y/N): N

Any pointers on how to make this work ?

Ok, thanks for clarification. I will se if I've missed something in the routing table.
So route would be something like 

ip route 10.10.10.0 255.255.255.0 ipsec central-hub

Original Message:
Sent: Nov 04, 2020 07:21 AM
From: Colin Joseph
Subject: ArubaOS8 Site-to-site vpn

We don't have instructions for individual firewalls.  Next-Hop-Route  and ACLs on VLANs is only for client traffic that you want to route traffic away from their default gateway, and not for infrastructure devices like your MD. 

Your MD should follow the routing on the "show ip route" on the MD to get to your TACACS/Radius Server.  Your firewall  and your networks on the other side should also have a route to the MD through the firewall.  It should be that straightforward.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Nov 04, 2020 02:00 AM
From: Daniel Federstedt
Subject: ArubaOS8 Site-to-site vpn

Hi!

Yeah, the IP im testing this out with is on the same subnet as my testclient. 
So for example if my testclient ip is: 10.10.20.10/24 it uses the MD as default gw with ip: 10.10.20.1/24 .
So I can reach the client on that subnet, but when I for example try to do ping with source <vlan id for that subnet> it doesn't work.
So the client from the exact same subnet works fine, but for example the dhcp-relay doesn't work since the controllers source ip on the same subnet can't reach datacenter. 
I haven't done any packetcapture yet so not 100% sure if the traffic does go into the tunnel or not.

Is there any manual / example or anything describing how to do this correctly ?
Original Message:
Sent: Nov 03, 2020 12:50 PM
From: Colin Joseph
Subject: ArubaOS8 Site-to-site vpn

Is the MD's management address private address space?  Would that private address space be routable to your datacenter?  Do you have a route from your datacenter back to your MD's subnet via that ipsec connection?

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Nov 03, 2020 10:37 AM
From: Daniel Federstedt
Subject: ArubaOS8 Site-to-site vpn

Hi!

I'm trying to make a setup where all my traffic from clients goes through ipsec vpn to our datacenter.
From MD on branch to central firewall (ipsec between md and the firewall).

I've done a next-hop route and and acl on my vlan interfaces. I get traffic to my testclient.
The problem is the source traffic from the md itself. Since we use clearpass as RADIUS / TACACS we want the traffic from our mgmt-vlan to go trough the tunnel aswell. 

But I cannot get this to work.
I've tried manually adding a route:

S 10.10.10.10/32 [0/1] ipsec map central-hub

I've tried "force tunnelmode" makes no difference.
ipsecmap:
Crypto Map Template"central-hub" 100
IKE Version: 1
IKEv1 Policy: 20
Security association lifetime seconds: xx
Security association lifetime kilobytes: N/A
PFS (Y/N): Y xxx
Transform sets=xxx
Peer gateway: x.x.x.x
Monitor IP: 0.0.0.0
Interface: VLAN 1
Source network: y.y.y.y/255.255.248.0
Destination network: ANY
Pre-Connect (Y/N): Y
Client NAT mode (Y/N): N
Tunnel Trusted (Y/N): Y
Forced NAT-T (Y/N): N
Uplink Failover (Y/N): N
Force-Tunnel-Mode (Y/N): Y
Uplink LoadBalance (Y/N): N
IP Compression (Y/N): N

Any pointers on how to make this work ?

If central-hub is the name of the ipsec map, yes.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------

Original Message:
Sent: Nov 04, 2020 07:44 AM
From: Daniel Federstedt
Subject: ArubaOS8 Site-to-site vpn

Ok, thanks for clarification. I will se if I've missed something in the routing table.
So route would be something like 

ip route 10.10.10.0 255.255.255.0 ipsec central-hub

Original Message:
Sent: Nov 04, 2020 07:21 AM
From: Colin Joseph
Subject: ArubaOS8 Site-to-site vpn

We don't have instructions for individual firewalls.  Next-Hop-Route  and ACLs on VLANs is only for client traffic that you want to route traffic away from their default gateway, and not for infrastructure devices like your MD. 

Your MD should follow the routing on the "show ip route" on the MD to get to your TACACS/Radius Server.  Your firewall  and your networks on the other side should also have a route to the MD through the firewall.  It should be that straightforward.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Nov 04, 2020 02:00 AM
From: Daniel Federstedt
Subject: ArubaOS8 Site-to-site vpn

Hi!

Yeah, the IP im testing this out with is on the same subnet as my testclient. 
So for example if my testclient ip is: 10.10.20.10/24 it uses the MD as default gw with ip: 10.10.20.1/24 .
So I can reach the client on that subnet, but when I for example try to do ping with source <vlan id for that subnet> it doesn't work.
So the client from the exact same subnet works fine, but for example the dhcp-relay doesn't work since the controllers source ip on the same subnet can't reach datacenter. 
I haven't done any packetcapture yet so not 100% sure if the traffic does go into the tunnel or not.

Is there any manual / example or anything describing how to do this correctly ?
Original Message:
Sent: Nov 03, 2020 12:50 PM
From: Colin Joseph
Subject: ArubaOS8 Site-to-site vpn

Is the MD's management address private address space?  Would that private address space be routable to your datacenter?  Do you have a route from your datacenter back to your MD's subnet via that ipsec connection?

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Nov 03, 2020 10:37 AM
From: Daniel Federstedt
Subject: ArubaOS8 Site-to-site vpn

Hi!

I'm trying to make a setup where all my traffic from clients goes through ipsec vpn to our datacenter.
From MD on branch to central firewall (ipsec between md and the firewall).

I've done a next-hop route and and acl on my vlan interfaces. I get traffic to my testclient.
The problem is the source traffic from the md itself. Since we use clearpass as RADIUS / TACACS we want the traffic from our mgmt-vlan to go trough the tunnel aswell. 

But I cannot get this to work.
I've tried manually adding a route:

S 10.10.10.10/32 [0/1] ipsec map central-hub

I've tried "force tunnelmode" makes no difference.
ipsecmap:
Crypto Map Template"central-hub" 100
IKE Version: 1
IKEv1 Policy: 20
Security association lifetime seconds: xx
Security association lifetime kilobytes: N/A
PFS (Y/N): Y xxx
Transform sets=xxx
Peer gateway: x.x.x.x
Monitor IP: 0.0.0.0
Interface: VLAN 1
Source network: y.y.y.y/255.255.248.0
Destination network: ANY
Pre-Connect (Y/N): Y
Client NAT mode (Y/N): N
Tunnel Trusted (Y/N): Y
Forced NAT-T (Y/N): N
Uplink Failover (Y/N): N
Force-Tunnel-Mode (Y/N): Y
Uplink LoadBalance (Y/N): N
IP Compression (Y/N): N

Any pointers on how to make this work ?

Well did some throubleshooting, this is very strange.
Sadly it might be a bug, I had a case with aruba support where I had the exact same issue with all versions of arubaOS after 6.5.4.8.
6.5.4.8 works fine with this exact setup, but after upgrading to later it simply doesn't work anymore. 
I thought it was a bug with only arubaos6.

I can setup a next-hop list with a route pointing to the ipsec-map, this works for clients.

But making a route-acl with any-any pointing to ipsec-map doesn't work.
And adding a ip route with ipsec-map as target won't work either so cannot get the MD traffic to work.

Using show datapath session table I can see that the MD is using the tunnel as route. How ever on the other end I never see any traffic in the tunnel.

I opened another case with support.
Original Message:
Sent: Nov 04, 2020 08:13 AM
From: Colin Joseph
Subject: ArubaOS8 Site-to-site vpn

If central-hub is the name of the ipsec map, yes.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Nov 04, 2020 07:44 AM
From: Daniel Federstedt
Subject: ArubaOS8 Site-to-site vpn

Ok, thanks for clarification. I will se if I've missed something in the routing table.
So route would be something like 

ip route 10.10.10.0 255.255.255.0 ipsec central-hub

Original Message:
Sent: Nov 04, 2020 07:21 AM
From: Colin Joseph
Subject: ArubaOS8 Site-to-site vpn

We don't have instructions for individual firewalls.  Next-Hop-Route  and ACLs on VLANs is only for client traffic that you want to route traffic away from their default gateway, and not for infrastructure devices like your MD. 

Your MD should follow the routing on the "show ip route" on the MD to get to your TACACS/Radius Server.  Your firewall  and your networks on the other side should also have a route to the MD through the firewall.  It should be that straightforward.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Nov 04, 2020 02:00 AM
From: Daniel Federstedt
Subject: ArubaOS8 Site-to-site vpn

Hi!

Yeah, the IP im testing this out with is on the same subnet as my testclient. 
So for example if my testclient ip is: 10.10.20.10/24 it uses the MD as default gw with ip: 10.10.20.1/24 .
So I can reach the client on that subnet, but when I for example try to do ping with source <vlan id for that subnet> it doesn't work.
So the client from the exact same subnet works fine, but for example the dhcp-relay doesn't work since the controllers source ip on the same subnet can't reach datacenter. 
I haven't done any packetcapture yet so not 100% sure if the traffic does go into the tunnel or not.

Is there any manual / example or anything describing how to do this correctly ?
Original Message:
Sent: Nov 03, 2020 12:50 PM
From: Colin Joseph
Subject: ArubaOS8 Site-to-site vpn

Is the MD's management address private address space?  Would that private address space be routable to your datacenter?  Do you have a route from your datacenter back to your MD's subnet via that ipsec connection?

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Nov 03, 2020 10:37 AM
From: Daniel Federstedt
Subject: ArubaOS8 Site-to-site vpn

Hi!

I'm trying to make a setup where all my traffic from clients goes through ipsec vpn to our datacenter.
From MD on branch to central firewall (ipsec between md and the firewall).

I've done a next-hop route and and acl on my vlan interfaces. I get traffic to my testclient.
The problem is the source traffic from the md itself. Since we use clearpass as RADIUS / TACACS we want the traffic from our mgmt-vlan to go trough the tunnel aswell. 

But I cannot get this to work.
I've tried manually adding a route:

S 10.10.10.10/32 [0/1] ipsec map central-hub

I've tried "force tunnelmode" makes no difference.
ipsecmap:
Crypto Map Template"central-hub" 100
IKE Version: 1
IKEv1 Policy: 20
Security association lifetime seconds: xx
Security association lifetime kilobytes: N/A
PFS (Y/N): Y xxx
Transform sets=xxx
Peer gateway: x.x.x.x
Monitor IP: 0.0.0.0
Interface: VLAN 1
Source network: y.y.y.y/255.255.248.0
Destination network: ANY
Pre-Connect (Y/N): Y
Client NAT mode (Y/N): N
Tunnel Trusted (Y/N): Y
Forced NAT-T (Y/N): N
Uplink Failover (Y/N): N
Force-Tunnel-Mode (Y/N): Y
Uplink LoadBalance (Y/N): N
IP Compression (Y/N): N

Any pointers on how to make this work ?

Your details in this post are not specific enough.  If you are doing a simple site to site VPN and you want traffic to go through that for an MD, it should be a simple route to the route map.  You are also talking route-acls, which ...why??  You are also saying that there is something that worked in 6.x does not work in 8.x...  that is common, because they are different infrastructures.

Please  work with TAC to figure out what is not working and let us know how to do what you are trying to do.  Then you can come back with a nice tutorial for a few of us that want to do something similar.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------

Original Message:
Sent: Nov 09, 2020 09:30 AM
From: Daniel Federstedt
Subject: ArubaOS8 Site-to-site vpn

Well did some throubleshooting, this is very strange.
Sadly it might be a bug, I had a case with aruba support where I had the exact same issue with all versions of arubaOS after 6.5.4.8.
6.5.4.8 works fine with this exact setup, but after upgrading to later it simply doesn't work anymore. 
I thought it was a bug with only arubaos6.

I can setup a next-hop list with a route pointing to the ipsec-map, this works for clients.

But making a route-acl with any-any pointing to ipsec-map doesn't work.
And adding a ip route with ipsec-map as target won't work either so cannot get the MD traffic to work.

Using show datapath session table I can see that the MD is using the tunnel as route. How ever on the other end I never see any traffic in the tunnel.

I opened another case with support.
Original Message:
Sent: Nov 04, 2020 08:13 AM
From: Colin Joseph
Subject: ArubaOS8 Site-to-site vpn

If central-hub is the name of the ipsec map, yes.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Nov 04, 2020 07:44 AM
From: Daniel Federstedt
Subject: ArubaOS8 Site-to-site vpn

Ok, thanks for clarification. I will se if I've missed something in the routing table.
So route would be something like 

ip route 10.10.10.0 255.255.255.0 ipsec central-hub

Original Message:
Sent: Nov 04, 2020 07:21 AM
From: Colin Joseph
Subject: ArubaOS8 Site-to-site vpn

We don't have instructions for individual firewalls.  Next-Hop-Route  and ACLs on VLANs is only for client traffic that you want to route traffic away from their default gateway, and not for infrastructure devices like your MD. 

Your MD should follow the routing on the "show ip route" on the MD to get to your TACACS/Radius Server.  Your firewall  and your networks on the other side should also have a route to the MD through the firewall.  It should be that straightforward.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Nov 04, 2020 02:00 AM
From: Daniel Federstedt
Subject: ArubaOS8 Site-to-site vpn

Hi!

Yeah, the IP im testing this out with is on the same subnet as my testclient. 
So for example if my testclient ip is: 10.10.20.10/24 it uses the MD as default gw with ip: 10.10.20.1/24 .
So I can reach the client on that subnet, but when I for example try to do ping with source <vlan id for that subnet> it doesn't work.
So the client from the exact same subnet works fine, but for example the dhcp-relay doesn't work since the controllers source ip on the same subnet can't reach datacenter. 
I haven't done any packetcapture yet so not 100% sure if the traffic does go into the tunnel or not.

Is there any manual / example or anything describing how to do this correctly ?
Original Message:
Sent: Nov 03, 2020 12:50 PM
From: Colin Joseph
Subject: ArubaOS8 Site-to-site vpn

Is the MD's management address private address space?  Would that private address space be routable to your datacenter?  Do you have a route from your datacenter back to your MD's subnet via that ipsec connection?

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Nov 03, 2020 10:37 AM
From: Daniel Federstedt
Subject: ArubaOS8 Site-to-site vpn

Hi!

I'm trying to make a setup where all my traffic from clients goes through ipsec vpn to our datacenter.
From MD on branch to central firewall (ipsec between md and the firewall).

I've done a next-hop route and and acl on my vlan interfaces. I get traffic to my testclient.
The problem is the source traffic from the md itself. Since we use clearpass as RADIUS / TACACS we want the traffic from our mgmt-vlan to go trough the tunnel aswell. 

But I cannot get this to work.
I've tried manually adding a route:

S 10.10.10.10/32 [0/1] ipsec map central-hub

I've tried "force tunnelmode" makes no difference.
ipsecmap:
Crypto Map Template"central-hub" 100
IKE Version: 1
IKEv1 Policy: 20
Security association lifetime seconds: xx
Security association lifetime kilobytes: N/A
PFS (Y/N): Y xxx
Transform sets=xxx
Peer gateway: x.x.x.x
Monitor IP: 0.0.0.0
Interface: VLAN 1
Source network: y.y.y.y/255.255.248.0
Destination network: ANY
Pre-Connect (Y/N): Y
Client NAT mode (Y/N): N
Tunnel Trusted (Y/N): Y
Forced NAT-T (Y/N): N
Uplink Failover (Y/N): N
Force-Tunnel-Mode (Y/N): Y
Uplink LoadBalance (Y/N): N
IP Compression (Y/N): N

Any pointers on how to make this work ?

Hi!

Worked with TAC and found the issue.
When specifying:
ip route <networkid> <mask> ipsec-map <ipsecmap> 

You apparently cannot specify:
Destination network: ANY
in the ipsec configuration. You must define a destination network. Doesn't need to match <networkid> from ip route (we for example have several ip routes pointed to the tunnel). It just has to be defined as a network and not ANY.

So solution was using 
destination network: 10.1.0.0 255.255.255.0 
in the ipsec site-to-site config.

after that the routing works as expected (as we discussed above). 
This was kinda hard to find since I cannot find it in writing, and also adding the routes to the routing table works fine even if ipsec config is defined with destination: ANY. It just won't use the routes even though they are there.

Glad TAC found  a solution.
Original Message:
Sent: Nov 09, 2020 01:11 PM
From: Colin Joseph
Subject: ArubaOS8 Site-to-site vpn

Your details in this post are not specific enough.  If you are doing a simple site to site VPN and you want traffic to go through that for an MD, it should be a simple route to the route map.  You are also talking route-acls, which ...why??  You are also saying that there is something that worked in 6.x does not work in 8.x...  that is common, because they are different infrastructures.

Please  work with TAC to figure out what is not working and let us know how to do what you are trying to do.  Then you can come back with a nice tutorial for a few of us that want to do something similar.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Nov 09, 2020 09:30 AM
From: Daniel Federstedt
Subject: ArubaOS8 Site-to-site vpn

Well did some throubleshooting, this is very strange.
Sadly it might be a bug, I had a case with aruba support where I had the exact same issue with all versions of arubaOS after 6.5.4.8.
6.5.4.8 works fine with this exact setup, but after upgrading to later it simply doesn't work anymore. 
I thought it was a bug with only arubaos6.

I can setup a next-hop list with a route pointing to the ipsec-map, this works for clients.

But making a route-acl with any-any pointing to ipsec-map doesn't work.
And adding a ip route with ipsec-map as target won't work either so cannot get the MD traffic to work.

Using show datapath session table I can see that the MD is using the tunnel as route. How ever on the other end I never see any traffic in the tunnel.

I opened another case with support.
Original Message:
Sent: Nov 04, 2020 08:13 AM
From: Colin Joseph
Subject: ArubaOS8 Site-to-site vpn

If central-hub is the name of the ipsec map, yes.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Nov 04, 2020 07:44 AM
From: Daniel Federstedt
Subject: ArubaOS8 Site-to-site vpn

Ok, thanks for clarification. I will se if I've missed something in the routing table.
So route would be something like 

ip route 10.10.10.0 255.255.255.0 ipsec central-hub

Original Message:
Sent: Nov 04, 2020 07:21 AM
From: Colin Joseph
Subject: ArubaOS8 Site-to-site vpn

We don't have instructions for individual firewalls.  Next-Hop-Route  and ACLs on VLANs is only for client traffic that you want to route traffic away from their default gateway, and not for infrastructure devices like your MD. 

Your MD should follow the routing on the "show ip route" on the MD to get to your TACACS/Radius Server.  Your firewall  and your networks on the other side should also have a route to the MD through the firewall.  It should be that straightforward.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Nov 04, 2020 02:00 AM
From: Daniel Federstedt
Subject: ArubaOS8 Site-to-site vpn

Hi!

Yeah, the IP im testing this out with is on the same subnet as my testclient. 
So for example if my testclient ip is: 10.10.20.10/24 it uses the MD as default gw with ip: 10.10.20.1/24 .
So I can reach the client on that subnet, but when I for example try to do ping with source <vlan id for that subnet> it doesn't work.
So the client from the exact same subnet works fine, but for example the dhcp-relay doesn't work since the controllers source ip on the same subnet can't reach datacenter. 
I haven't done any packetcapture yet so not 100% sure if the traffic does go into the tunnel or not.

Is there any manual / example or anything describing how to do this correctly ?
Original Message:
Sent: Nov 03, 2020 12:50 PM
From: Colin Joseph
Subject: ArubaOS8 Site-to-site vpn

Is the MD's management address private address space?  Would that private address space be routable to your datacenter?  Do you have a route from your datacenter back to your MD's subnet via that ipsec connection?

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Nov 03, 2020 10:37 AM
From: Daniel Federstedt
Subject: ArubaOS8 Site-to-site vpn

Hi!

I'm trying to make a setup where all my traffic from clients goes through ipsec vpn to our datacenter.
From MD on branch to central firewall (ipsec between md and the firewall).

I've done a next-hop route and and acl on my vlan interfaces. I get traffic to my testclient.
The problem is the source traffic from the md itself. Since we use clearpass as RADIUS / TACACS we want the traffic from our mgmt-vlan to go trough the tunnel aswell. 

But I cannot get this to work.
I've tried manually adding a route:

S 10.10.10.10/32 [0/1] ipsec map central-hub

I've tried "force tunnelmode" makes no difference.
ipsecmap:
Crypto Map Template"central-hub" 100
IKE Version: 1
IKEv1 Policy: 20
Security association lifetime seconds: xx
Security association lifetime kilobytes: N/A
PFS (Y/N): Y xxx
Transform sets=xxx
Peer gateway: x.x.x.x
Monitor IP: 0.0.0.0
Interface: VLAN 1
Source network: y.y.y.y/255.255.248.0
Destination network: ANY
Pre-Connect (Y/N): Y
Client NAT mode (Y/N): N
Tunnel Trusted (Y/N): Y
Forced NAT-T (Y/N): N
Uplink Failover (Y/N): N
Force-Tunnel-Mode (Y/N): Y
Uplink LoadBalance (Y/N): N
IP Compression (Y/N): N

Any pointers on how to make this work ?