Could someone explain how the features:
crypto-local ipsec-map uplink failover
crypto-local ipsec-map load-balance
crypto-local ipsec-map monitor
Consider we have a controller with 2 ISPs and we established two tunnels (one for each ISP to a remote VPN gateway)
will those load-balance or uplink failover feature work and how in this scenario?
What you are looking for might be here: https://www.arubanetworks.com/techdocs/ArubaOS_85_Web_Help/Content/arubaos-solutions/branchoffice/upli-moni-load-bala.htm?Highlight=uplink%20manager
Frankly speaking the link you provided relates to
uplink load-balance while I'm asking about
crypto-local ipsec-map monitor
As it isn't described anywhere I'm really not sure if those crypto commands are related to uplink load-balance and what are prerequesties for those crypto commands to work neither what is the purpose of those crypto commands.
It can be also worth to mention that I'm using current recommended by support sw version 126.96.36.199.
The User Guide for this sw
also states that the WAN uplik status should be available while there is not such dashboard in this sw.
Although Health Check & uplink & uplink load-balance is configured:
uplink enable # inherited from [/mm]uplink health-check # inherited from [/mm]uplink health-check ip 188.8.131.52 # inherited from [/mm]uplink load-balance media-mode # inherited from [/mm]
When I was trying to setup crypto-local ipsec-map uplink-failover
crypto-local ipsec-map azure 1000 # inherited from [/mm]uplink-failover
causes Configuration Failure---------------------Command: uplink-failoverProcess: IKEMessage: Uplink failover not supported with ikev1Total Failures: 1
I apologize that I did not understand you and I forwarded an unrelated link before asking you more specific questions.
Your original post said that you have two ISPs and two tunnels.
- Are the tunnels terminated on the controllers or are the controllers plugged into two physical circuits or both? I cannot tell from your diagram.
- Is this planned or this is already configured and how?
The commands you listed may or may not be the way to go.
There is one controller (7030).
Int gig 0/0/2 is ISP1
Int gig 0/0/3 is ISP2
tunnels are established from this controller to azure VPN gateway
The relevant configuration is:
ip access-list route uplink-lb-cfg-raclany network 192.168.210.0 255.255.255.0 any route next-hop-list azure_vpnany network 192.168.211.8 255.255.255.248 any route next-hop-list azure_vpnany network 192.168.211.0 255.255.255.248 any route next-hop-list azure_vpn!ip access-list route azure_vpnany network 192.168.210.0 255.255.255.0 any route next-hop-list azure_vpnany network 192.168.211.0 255.255.255.248 any route next-hop-list azure_vpnany network 192.168.211.8 255.255.255.248 any route next-hop-list azure_vpn
interface gigabitethernet 0/0/2description "ISP1"trustedtrusted vlan 1-4094no poeswitchport access vlan 600!
interface gigabitethernet 0/0/3description "ISP2"trustedtrusted vlan 1-4094no poeswitchport access vlan 601
interface gigabitethernet 0/0/4description "Test"trustedtrusted vlan 1-4094no poeswitchport access vlan 322
interface vlan 600ip address <public ISP1> 255.255.255.240ip nat outsidedescription "ISP1"!
interface vlan 601ip address <public ISP2> 255.255.255.240ip nat outsidedescription "ISP2"
interface vlan 322ip address 10.100.1.4 255.255.255.0
interface tunnel 5description "Tunnel azure ISP1"tunnel mode gre iptunnel source vlan 600tunnel destination <public AzureVPNGateway>tunnel keepalivetunnel keepalive 1 3trusted!interface tunnel 6description "Tunnel azure ISP2"tunnel mode gre iptunnel source vlan 601tunnel destination <public AzureVPNGateway>tunnel keepalivetunnel keepalive 1 3trusted
uplink wired vlan 601 uplink-id link2priority 100!uplink wired vlan 600 uplink-id link1
no uplink wired vlan 1uplink enableuplink health-check ip 184.108.40.206uplink health-checkuplink load-balanceuplink load-balance media-mode
ip default-gateway <ISP1_gateway> 20ip default-gateway <ISP2_gateway> 20no ip default-gateway import dhcpno ip default-gateway import cellno ip default-gateway import pppoeip route 192.168.210.0 255.255.255.0 ipsec azureip route 192.168.211.0 255.255.255.248 ipsec azure 10ip route 192.168.211.8 255.255.255.248 ipsec azure 10
ip nexthop-list azure_vpnipsec-map azure priority 20
ipsec-map azure2 priority 10
crypto isakmp policy 20encryption aes256
crypto-local isakmp key "******" address <public AzureVPNGateway> netmask 255.255.255.255
crypto ipsec transform-set azure esp-aes128 esp-sha-hmac
crypto-local ipsec-map azure 20set ikev1-policy 20peer-ip <public AzureVPNGateway>vlan 600src-net vlan 322dst-net 192.168.211.0 255.255.255.248set transform-set "azure"pre-connecttrusted!
crypto-local ipsec-map azure2 20set ikev1-policy 20peer-ip <public AzureVPNGateway>vlan 601src-net vlan 322dst-net 192.168.211.8 255.255.255.248set transform-set "azure"pre-connecttrusted!
At Azure I have a Vnet with 3 address ranges:
192.168.210.0 255.255.255.019220.127.116.11 255.255.255.248192.168.211.8 255.255.255.248
and there is a test host 192.168.210.132
This configuration doesn't work.
What I'm going to achieve is to have a redundancy between ISPs.
When routing through ISP1 will be broken the traffic should go through tunnel established with ISP2. The preemption if possible would be also nice.
The purpose why I created
192.168.211.0 255.255.255.248192.168.211.8 255.255.255.248
was that to create separate (redundant) crypto-local ipsec-maps I have to provide different dst-net.
Without matching selectors tunnels doesn't come up.
Azure support told me that they have any to any however controller if it is not initiator will get eg.
isakmpd: <103060> <3480> <DBUG> |ike| <public AzureVPNGateway>:500-> ike_quick_mode.c:checkIpsecSelectors:3999 initRange:192.168.210.1 -192.168.210.255 policyRange:192.168.210.0-192.168.210.255 for map azureisakmpd: <103060> <3480> <DBUG> |ike| <public AzureVPNGateway>:500-> ike_quick_mode.c:checkIpsecSelectors:4027 respRange:10.100.1.1 -10.100.1.255 policyRange:10.100.1.0-10.100.1.255 for map azure
isakmpd: <103060> <3470> <DBUG> <public AzureVPNGateway>:500-> ike_quick_mode.c:checkIpsecSelectors:3999 initRange:192.168.210.1 -192.168.210.255 policyRange:192.168.211.8-192.168.211.15 for map azureisakmpd: <103035> <3470> <INFO> <name 192.168.222.38> Initiator IKE Phase 2 Identity doesn't match for ipsec-map azure
When Aruba controller is Initiator this would look like eg.:
Jan 17 12:35:27 isakmpd: <103060> <3470> <DBUG> |ike|<public AzureVPNGateway>:500-> ike_quick_mode.c:checkIpsecSelectors:3999 initRange:10.100.1.1 -10.100.1.255 policyRange:10.100.1.0-10.100.1.255 for map azureJan 17 12:35:27 isakmpd: <103060> <3470> <DBUG> |ike|<public AzureVPNGateway>:500-> ike_quick_mode.c:checkIpsecSelectors:4027 respRange:192.168.211.1 -192.168.211.7 policyRange:192.168.211.0-192.168.211.7 for map azure
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2020 Hewlett Packard Enterprise Development LPAll Rights Reserved.