We have an AOS 8 environment consisting of VMM, and pair of 7005 MDs. Originally, we added local controllers during initial config using IPSec Key, and all worked OK. As we are using this setup for our RAP estate we have externally facing interface on both 7005s. One of the requirements from pen-testing was to disable aggressive mode (crypto-local isakmp disable-aggressive-mode), and that lead to warning:
Warning: Disabling Aggressive Mode will impact othersessions which use aggressive mode
like Master-Local IKE session with PSK. Change those sessions to Cert-based
We than tried to change discovery method to use factory certificate, but once we did that both controllers started showing as Down on MM.
I suppose that first question is if we can use cert-based controller discovery on Virtual MM, and if the answer is yes second question will be why did our approach fail? Thanks.
Doing Certificate based IPSec is possible. To answer your first question.
The reason why it might fail is trust. The HW based controllers like the 7005's will use their TPM based certificate. But the VMM does not have a TPM chip nor a TPM based certificate. And here is the mismatch. I described the different options here:
It might be helpful.
Thanks on your reply. I will have a look at your blog and let you know if any of offered solutions worked for us. Much appreciated.
Great post Florian, thanks. We will use it in future. As it stands we will have to change our VMs for HW appliances.
By using Activate you don't have to. While using activate for MM discovery the MD will also download the self-signed CA from Activate to trust the certificate from the VMM.
Great blog Florian. Note you can also use the self-signed cert on the MM as the CA cert, and if hardware MD they can use the factory cert.
crypto pki export ca-cert pem self-signed
This will print out the cert in pem format. Copy to a file. In this example I have called it sc-root-ca.
At the folder level import this cert as a TrustedCA.
Go to the device level in cli and apply the following masterip config.
masterip <master-ip> ipsec-custom-cert master-mac-1-c <MM-ma> ca-cert sc-root-ca server-cert factory-cert interface vlan <controller-vlan>
On MM level you need to add the node.
local-custom-cert local-mac <MD-mac> ca-cert factory-ca-cert server-cert self-signed-field-cert
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.