Wireless Access

last person joined: 16 hours ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

ipsec between aruba controllers

Jump to Best Answer
  • 1.  ipsec between aruba controllers

    Posted Feb 28, 2018 04:20 AM

    hello airheads,

    does anyone know if you can set up a ipsec tunnel between two controllers. NOT a site-site but need to map a VLAN from head office to a controller network. I know you can do a GRE tunnel but that has problems across NATted boundaries.

     



  • 2.  RE: ipsec between aruba controllers

    Posted Feb 28, 2018 04:38 AM


  • 3.  RE: ipsec between aruba controllers

    Posted Feb 28, 2018 04:51 AM

    thanks for getting back.

    i'm not sure if it does help.

    That refers to site-site vpn's.

    what i'm looking for is layer 2



  • 4.  RE: ipsec between aruba controllers

    Posted Feb 28, 2018 05:31 AM

    I've been using gre tunnels to do this.

    Have a look at http://community.arubanetworks.com/t5/Wireless-Access/L2-GRE-keepalive/td-p/188868 



  • 5.  RE: ipsec between aruba controllers

    Posted Feb 28, 2018 05:35 AM

    thanks for getting back.

    GRE was my first thought but i remember  a few years back that there was a problem with Aruba GRE tunnels over NATted boundary.

    was that something to do with the keep-alives?

     



  • 6.  RE: ipsec between aruba controllers

    Posted Feb 28, 2018 05:45 AM

    Appologies, I should have read your entire post.

    Not sure with GRE over NAT, might very well be problematic. Never had to do this so don't have anything usefull to tell you here.

     

     

    @Craig Syme's sollution seems workable. Create a site to site VPN and set up the gre tunnel through that?

     



  • 7.  RE: ipsec between aruba controllers

    Posted Feb 28, 2018 05:47 AM

    Hey, GRE will not survive a NAT boundary so you will need to look at IPSEC. I believe IPSEC should work as you can simply route the VLAN via the tunnel.



  • 8.  RE: ipsec between aruba controllers

    Posted Feb 28, 2018 05:52 AM

    ok thank you,

    just wanted to know how do you set up the IPSEC tunnel between two controllers?



  • 9.  RE: ipsec between aruba controllers

    Posted Feb 28, 2018 05:57 AM

    Hey, the link previously posted details the configuration steps. If not you can find it in each of the User Guides for the respective ArubaOS release.



  • 10.  RE: ipsec between aruba controllers

    Posted Feb 28, 2018 06:02 AM

    i read that but isn't that to do with site-site vpn's?

    couldn't see how to do what i was trying to achieve.

     

     



  • 11.  RE: ipsec between aruba controllers

    Posted Feb 28, 2018 06:12 AM

    Hi Pete,

     

    You can setup a VPN tunnel between the controllers first and within that tunnel you can create a L2 GRE tunnel to transport the vlan between the sites.

     

    Jonas



  • 12.  RE: ipsec between aruba controllers

    Posted Feb 28, 2018 06:39 AM

    thanks Jonas for getting back to me.

    i guess this is something i can try in our lab.

    Is it setup you have tried?



  • 13.  RE: ipsec between aruba controllers

    Posted Feb 28, 2018 06:42 AM

    Pete,

     

    Yes, I have tried it and used it in production deployments too.

     

    /Jonas



  • 14.  RE: ipsec between aruba controllers

    Posted Feb 28, 2018 06:43 AM

    thanks Jonas,

    do you have a config doc for this?

     



  • 15.  RE: ipsec between aruba controllers

    Posted Feb 28, 2018 06:54 AM

    Hi Pete,

     

    We do have a solution for this in Aruba Solution Exchange.

     

    https://ase.arubanetworks.com/solutions/id/116

     

    This will help you create the config and also have it documented :)

     

    /Jonas



  • 16.  RE: ipsec between aruba controllers

    Posted Feb 28, 2018 07:11 AM

    this certainly looks like what i need.

    can i just clarify:-# in the configuration notes below it says set up the GRE tunnel with the same Source/Destination networks as IPSEC.

    Is this right?

     

    CONFIGURATION NOTES

    Site-to-site IPSEC vpn is configured with source/destination networks on the private Vlans. L2 GRE is configured with the same Source/Destination networks as IPSEC. 

    At headquarter, Controller also has private/public Vlans. Guest users in a private vlan. Guest Vlan is extended to Guest anchor controller through L2 GRE.

    At Datacenter/DMZ, guest anchor controller has both private/public Vlans.



  • 17.  RE: ipsec between aruba controllers

    Posted Feb 28, 2018 07:19 AM

    Yes, you should build the l2 gre tunnel between the inner IPs of the IPSEC, so in that case it is correct. So you should not for example set source/destinations network for the gre as the network tunneled over. controller dont care . Depending on what you are trying to achive, you then redirect traffic into that tunnel based on role or similar. I think it was a role config for redirecting traffic into the tunnel in the solution. 

     

    /Jonas

     

     

     

     



  • 18.  RE: ipsec between aruba controllers

    Posted Feb 28, 2018 07:24 AM

    thanks Jonas,

    here's my thinking:-

    Site-site between controllers with the public IP addresses of the headquaters and DMZ as the destination ip.

    GRE tunnel between the controller provate ip addresses.

    how does this sound?

    pete



  • 19.  RE: ipsec between aruba controllers
    Best Answer

    Posted Mar 13, 2018 09:58 AM

    Jonas,

    tried out that solution works just fine thanks for your help.

    cheers

    pete

     



  • 20.  RE: ipsec between aruba controllers

    Posted Mar 13, 2018 10:34 AM

    Please accept the best post(s) as the solution then please. Helps those that come after :)