Hi,
I have a problem with aruba RAP 205H IPSec tunnel while using aruba ACR license and spesific IKE Policy.
So, ACR license is installed to 7010 controller and I have configured the spesific IKE Policy with these setting
IKE V2
Encryption AES256
Hash Algorithm SHA2-256-128
Authentication RSA
Diffie Hellmann Group Group20
PRF PRF-HMAC-SHA256
Life Time Default
I have noticed that if I use Hash Algorithm SHA2-256-128 insted of SHA1-96 the RAP cannot build the IPSec tunnel to the controller.
Also, if I use PRF-HMAC-SHA256 insted of PRF-HMAC-SHA1 the RAP cannot build the IPSec tunnel to the controller.
Am I missing something there or is there some limitations that RAP 205H cannot operate IPSec tunnel with those setting?
Here is a working one:
(nuuskamuikkunen) #show crypto ipsec sa peer 81.20.229.136
Initiator IP: 81.20.229.136
Responder IP: 10.206.134.131
Initiator: No
SA Creation Date: Thu Nov 30 13:53:52 2017
Life secs: 7200
Exchange Type: IKE_SA (IKEV2)
Phase2 Transform:Encryption Alg: AES 256 Authentication Alg: SHA1
Encapsulation Mode Tunnel
IP Compression Disabled
PFS: no
IN SPI: ABE98500, OUT SPI: 98B58D00
CFG Inner-IP 1.1.1.24
Responder IP: 10.206.134.131
(nuuskamuikkunen) #show crypto isakmp sa peer 81.20.229.136
Initiator IP: 81.20.229.136
Responder IP: 10.206.134.131
Initiator: No
Initiator cookie:986718f9510323dd Responder cookie:793b2369bf0e2cdb
SA Creation Date: Thu Nov 30 13:53:52 2017
Life secs: 28800
Initiator Phase1 ID: CN=DN0067150::00:0b:86:f7:54:ca
Responder Phase1 ID: CN=CG0015514::00:0b:86:df:81:60 L=SW
Exchange Type: IKE_SA (IKEV2)
Phase1 Transform:EncrAlg:AES256 HashAlg:HMAC_SHA1_96 DHGroup:20
Authentication Method: RSA Digital Signature 2048-bits
CFG Inner-IP 1.1.1.24
IPSEC SA Rekey Number: 0
Aruba AP
Here is the non working one:
(nuuskamuikkunen) #show crypto ipsec sa peer 81.20.229.136
% No active IPSEC SA for 81.20.229.136
(nuuskamuikkunen) #show crypto isakmp sa peer 81.20.229.136
Initiator IP: 81.20.229.136
Responder IP: 10.206.134.131
Initiator: No
Initiator cookie:0acba72279694d9e Responder cookie:1b6824b4e76e589d
SA Creation Date: Mon Oct 16 00:04:39 2017
Life secs: 28800
Initiator Phase1 ID:
Responder Phase1 ID:
Exchange Type: IKE_SA (IKEV2)
Phase1 Transform:
IPSEC SA Rekey Number: 0
(nuuskamuikkunen) #