Under ArubaOS 6.5 I can connect a RAP-109 from a double nat'ted private address. Under 8.5 this is failing. Using certificate config on RAP doesn't work at all. Using username/pw on RAP I get multiple short tunnels. What changed? Is there a workaround? Using VMM, hardware 7220, RAP-109. RAP coming from 208.69.x.x address. Log from controller:
Feb 13 09:18:02 isakmpd[3846]: <103103> <3846> <WARN> |ike| IPSec SA Deletion: IPSEC_delSa SPI:eefd7b00 OppSPI:29c17e00 Dst:208.69.211.228 Src:129.82.168.24 flags:1001 dstPort:0 srcPort:0
# show crypto ipsec sa
208.69.211.228 129.82.168.24 192.168.193.33/32 0.0.0.0/0 UT Feb 14 07:18:08 192.168.193.33
208.69.211.228 129.82.168.24 192.168.193.60/32 0.0.0.0/0 UT Feb 14 08:12:44 192.168.193.60
208.69.211.228 129.82.168.24 192.168.193.57/32 0.0.0.0/0 UT Feb 14 08:06:42 192.168.193.57
208.69.211.228 129.82.168.24 192.168.193.53/32 0.0.0.0/0 UT Feb 14 07:58:40 192.168.193.53
208.69.211.228 129.82.168.24 192.168.193.28/32 0.0.0.0/0 UT Feb 14 07:08:05 192.168.193.28
IPSEC SA (V2) Active Session Information
-----------------------------------
Initiator IP Responder IP SPI(IN/OUT) Flags Start Time Inner IP
------------ ------------ ---------------- ----- --------------- --------
10.82.168.24 10.82.168.10 a2eba300/c763e700 UT2 Feb 14 09:02:37 -
Flags: T = Tunnel Mode; E = Transport Mode; U = UDP Encap
L = L2TP Tunnel; N = Nortel Client; C = Client; 2 = IKEv2
l = uplink load-balance
Total IPSEC SAs: 60
Thank you!