Wireless Access

last person joined: 2 days ago 

Access network design for branch, remote, outdoor and campus locations with Aruba access points, and mobility controllers.
Expand all | Collapse all

crypto-local ipsec-map uplink failover/load-balance/monitor

  • 1.  crypto-local ipsec-map uplink failover/load-balance/monitor

    Posted Jan 16, 2020 09:34 PM

    Could someone explain how the features:

    crypto-local ipsec-map uplink failover

    crypto-local ipsec-map load-balance

    crypto-local ipsec-map monitor

    should work?

     

    Consider we have a controller with 2 ISPs and we established two tunnels (one for each ISP to a remote VPN gateway)

    will those load-balance or uplink failover feature work and how in this scenario?



  • 2.  RE: crypto-local ipsec-map uplink failover/load-balance/monitor

    Posted Jan 16, 2020 10:03 PM


  • 3.  RE: crypto-local ipsec-map uplink failover/load-balance/monitor

    Posted Jan 17, 2020 02:52 AM

    Frankly speaking the link you provided relates to 

    uplink load-balance while I'm asking about 

    crypto-local ipsec-map uplink failover

    crypto-local ipsec-map load-balance

    crypto-local ipsec-map monitor

    As it isn't described anywhere I'm really not sure if those crypto commands are related to uplink load-balance and what are prerequesties for those crypto commands to work neither what is the purpose of those crypto commands.

    It can be also worth to mention that I'm using current recommended by support sw version 8.3.0.10.

    The User Guide for this sw

    https://www.arubanetworks.com/techdocs/ArubaOS_83x_Web_Help/Content/ArubaFrameStyles/Dashboard_Monitoring/WAN.htm

    also states that the WAN uplik status should be available while there is not such dashboard in this sw.

    dash.png

    Although Health Check & uplink & uplink load-balance is configured:

    health.pnguplink.png

    From CLI:

    uplink enable # inherited from [/mm]
    uplink health-check # inherited from [/mm]
    uplink health-check ip 1.1.1.1 # inherited from [/mm]
    uplink load-balance media-mode # inherited from [/mm]

     

     

    When I was trying to setup crypto-local ipsec-map uplink-failover

     

    crypto-local ipsec-map azure 1000 # inherited from [/mm]
    uplink-failover

    causes Configuration Failure
    ---------------------
    Command: uplink-failover
    Process: IKE
    Message: Uplink failover not supported with ikev1
    Total Failures: 1

     

     



  • 4.  RE: crypto-local ipsec-map uplink failover/load-balance/monitor

    Posted Jan 17, 2020 05:20 AM

    I apologize that I did not understand you and I forwarded an unrelated link before asking you more specific questions.

     

    Your original post said that you have two ISPs and two tunnels.

     

    Questions:

     

    - Are the tunnels terminated on the controllers or are the controllers plugged into two physical circuits or both?  I cannot tell from your diagram.

    - Is this planned or this is already configured and how?

     

    The commands you listed may or may not be the way to go.



  • 5.  RE: crypto-local ipsec-map uplink failover/load-balance/monitor

    Posted Jan 17, 2020 08:26 AM

    There is one controller (7030).

    Int gig 0/0/2 is ISP1

    Int gig 0/0/3 is ISP2

    tunnels are established from this controller to azure VPN gateway

     

    The relevant configuration is:

    !

    ip access-list route uplink-lb-cfg-racl
    any network 192.168.210.0 255.255.255.0 any route next-hop-list azure_vpn
    any network 192.168.211.8 255.255.255.248 any route next-hop-list azure_vpn
    any network 192.168.211.0 255.255.255.248 any route next-hop-list azure_vpn
    !
    ip access-list route azure_vpn
    any network 192.168.210.0 255.255.255.0 any route next-hop-list azure_vpn
    any network 192.168.211.0 255.255.255.248 any route next-hop-list azure_vpn
    any network 192.168.211.8 255.255.255.248 any route next-hop-list azure_vpn

    interface gigabitethernet 0/0/2
    description "ISP1"
    trusted
    trusted vlan 1-4094
    no poe
    switchport access vlan 600
    !

    interface gigabitethernet 0/0/3
    description "ISP2"
    trusted
    trusted vlan 1-4094
    no poe
    switchport access vlan 601

    !

    interface gigabitethernet 0/0/4
    description "Test"
    trusted
    trusted vlan 1-4094
    no poe
    switchport access vlan 322

    !

    interface vlan 600
    ip address <public ISP1> 255.255.255.240
    ip nat outside
    description "ISP1"
    !

    interface vlan 601
    ip address <public ISP2> 255.255.255.240
    ip nat outside
    description "ISP2"

    !

    interface vlan 322
    ip address 10.100.1.4 255.255.255.0

    !

    interface tunnel 5
    description "Tunnel azure ISP1"
    tunnel mode gre ip
    tunnel source vlan 600
    tunnel destination <public AzureVPNGateway>
    tunnel keepalive
    tunnel keepalive 1 3
    trusted
    !
    interface tunnel 6
    description "Tunnel azure ISP2"
    tunnel mode gre ip
    tunnel source vlan 601
    tunnel destination <public AzureVPNGateway>
    tunnel keepalive
    tunnel keepalive 1 3
    trusted

    !

    uplink wired vlan 601 uplink-id link2
    priority 100
    !
    uplink wired vlan 600 uplink-id link1

    !

    no uplink wired vlan 1
    uplink enable
    uplink health-check ip 1.1.1.1
    uplink health-check
    uplink load-balance
    uplink load-balance media-mode

    !

    ip default-gateway <ISP1_gateway> 20
    ip default-gateway <ISP2_gateway> 20
    no ip default-gateway import dhcp
    no ip default-gateway import cell
    no ip default-gateway import pppoe
    ip route 192.168.210.0 255.255.255.0 ipsec azure
    ip route 192.168.211.0 255.255.255.248 ipsec azure 10
    ip route 192.168.211.8 255.255.255.248 ipsec azure 10

    !

    ip nexthop-list azure_vpn
    ipsec-map azure priority 20

    ipsec-map azure2 priority 10

    !

    crypto isakmp policy 20
    encryption aes256

    !

    crypto-local isakmp key "******" address <public AzureVPNGateway> netmask 255.255.255.255

    crypto ipsec transform-set azure esp-aes128 esp-sha-hmac

    !

    crypto-local ipsec-map azure 20
    set ikev1-policy 20
    peer-ip <public AzureVPNGateway>
    vlan 600
    src-net vlan 322
    dst-net 192.168.211.0 255.255.255.248
    set transform-set "azure"
    pre-connect
    trusted
    !

    crypto-local ipsec-map azure2 20
    set ikev1-policy 20
    peer-ip <public AzureVPNGateway>
    vlan 601
    src-net vlan 322
    dst-net 192.168.211.8 255.255.255.248
    set transform-set "azure"
    pre-connect
    trusted
    !

     

    At Azure I have a Vnet with 3 address ranges:

    192.168.210.0 255.255.255.0
    192.168.211.0 255.255.255.248
    192.168.211.8 255.255.255.248

    and there is a test host 192.168.210.132

     

    This configuration doesn't work.

    What I'm going to achieve is to have a redundancy between ISPs.

    When routing through ISP1 will be broken the traffic should go through tunnel established with ISP2. The preemption if possible would be also nice.

     

    The purpose why I created 

    192.168.211.0 255.255.255.248
    192.168.211.8 255.255.255.248

    was that to create separate (redundant) crypto-local ipsec-maps I have to provide different dst-net.

    Without matching selectors tunnels doesn't come up.

     

    Azure support told me that they have any to any however controller if it is not initiator will get eg.

     

    isakmpd[3480]: <103060> <3480> <DBUG> |ike| <public AzureVPNGateway>:500-> ike_quick_mode.c:checkIpsecSelectors:3999 initRange:192.168.210.1 -192.168.210.255 policyRange:192.168.210.0-192.168.210.255 for map azure
    isakmpd[3480]: <103060> <3480> <DBUG> |ike| <public AzureVPNGateway>:500-> ike_quick_mode.c:checkIpsecSelectors:4027 respRange:10.100.1.1 -10.100.1.255 policyRange:10.100.1.0-10.100.1.255 for map azure

     

    isakmpd[3470]: <103060> <3470> <DBUG> <public AzureVPNGateway>:500-> ike_quick_mode.c:checkIpsecSelectors:3999 initRange:192.168.210.1 -192.168.210.255 policyRange:192.168.211.8-192.168.211.15 for map azure
    isakmpd[3470]: <103035> <3470> <INFO> <name 192.168.222.38> Initiator IKE Phase 2 Identity doesn't match for ipsec-map azure

     

    When Aruba controller is Initiator this would look like eg.:

     

    Jan 17 12:35:27 isakmpd[3470]: <103060> <3470> <DBUG> |ike|<public AzureVPNGateway>:500-> ike_quick_mode.c:checkIpsecSelectors:3999 initRange:10.100.1.1 -10.100.1.255 policyRange:10.100.1.0-10.100.1.255 for map azure
    Jan 17 12:35:27 isakmpd[3470]: <103060> <3470> <DBUG> |ike|<public AzureVPNGateway>:500-> ike_quick_mode.c:checkIpsecSelectors:4027 respRange:192.168.211.1 -192.168.211.7 policyRange:192.168.211.0-192.168.211.7 for map azure