Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

RAP IPsec Tunnel questions

This thread has been viewed 21 times

  • 1.  RAP IPsec Tunnel questions

    Posted Oct 23, 2019 05:11 PM

    It is my understanding that in a RAP <-www-> MC enviroment the RAP establishes a IPsec-Tunnel over the Internet in which it communicates with the controller.

    Are the following scenarios with tunneled mode correct?

    I. The Control Plane Traffic over PAPI is encrypted again inside the aforementioned "outer" IPsec-Tunnel with another IPsec tunnel?


    II. User Traffic from a wired port on the RAP is also encrypted again in another IPsec-Tunnel inside the "outer" IPsec-Tunnel?


    III. User Traffic via WLAN is encrypted by the client itself via WPA2 and is then routed through the "outer" IPsec-Tunnel via a GRE-Tunnel? (If I understood it correct, there is an option to "double encrypt", so that this WPA2 encrypted traffic can also be encrypted again at the RAP via another IPsec-Tunnel inside the "outer" IPsec-Tunnel).

     

    IV. If I.-III. is wrong: The RAP establishes an "outer" IPsec-Tunnel and just puts the wired traffic, the Data Plane Traffic and the WLAN Traffic in multiple  unencrypted GRE-Tunnels inside the "outer" IPsec-Tunnel?



  • 2.  RE: RAP IPsec Tunnel questions

    EMPLOYEE


  • 3.  RE: RAP IPsec Tunnel questions

    Posted Oct 24, 2019 05:28 AM

    Thx for the link. But it rises more questions. In the aruba documents it says that wireless traffic is forwarded to the controller via a GRE tunnel since it is already encrypted through WPA. But the traffic that comes from the wired ports of the RAP is encrypted with IPsec at the RAP and then forwarded to the Controller.

    So the question still stands: Is there some kind of "outer" IPsec tunnel and the RAP is using multiple IPsec "inner" Tunnels for forwarding the wired traffic to the controller or is this done via multiple GRE tunnels without encryption since there is already an "outer" IPsec Tunnel?



  • 4.  RE: RAP IPsec Tunnel questions

    EMPLOYEE
    Posted Oct 24, 2019 06:45 AM

    "All GRE traffic, such as, the user data and bootstrap heartbeat, is not encrypted by IPsec, but is still encapsulated by IPsec."   A.K.A. The wired traffic is encapsulated with ipsec, not encrypted with ipsec by default.  Encapsulation is used so that traffic can traverse a NAT device.

     

    Encapsulation is not encryption.  You would have to enable double encrypt to have wired traffic encrypted with ipsec.



  • 5.  RE: RAP IPsec Tunnel questions

    Posted Jan 03, 2022 06:31 AM

    Hi guys,

    I know this is an old thread, but I think it may serve to others.

    As far as I know, and from what I saw in the ACMP student guide, at least in tunnel mode (and in split-tunnel mode for traffic tunneled to the MC), all wired users flows are automatically IPSEC encrypted by the RAP and decrypted by the MC.

    From the "RAP Tunnel mode WLAN" chapter :

    "The RAP may have extra wired ports, also configured in tunnel mode, to support end-user connectivity. These users are also assigned a corporate IP address. However, their traffic will be encrypted by the RAP with IPsec and decrypted by the MC."

    This is confirmed with the scheme below showing "Wireless encryption done on the client and controller ; Wired encryption on RAP and controller"

    Hope it will help ;)



    ------------------------------
    S�bastien Grimaldos
    ------------------------------

    Original Message