Dynamic Site-to-Site VPN between Mobility Controllers


Dynamic Site-to-Site VPN between Mobility Controllers



Site-to-site VPN allows sites at different physical locations to securely communicate with each other over a Layer-3 network such as the Internet. You can use Aruba controllers instead of VPN concentrators to connect the sites. Or, you can use a VPN concentrator at one site and a controller at the other site.


ArubaOS supports site-to-site VPNs with two statically addressed controllers, or with one static and one dynamically addressed controller. By default, site-to-site VPN uses IKE Main-mode with Pre-Shared-Keys to authenticate the IKE SA. This method uses the IP address of the peer, and therefore does not work for dynamically addressed peers.

To support site-site VPN with dynamically addressed devices, you must enable IKE Aggressive-Mode with

Authentication based on a Pre-Shared-Key. The Aruba controller with a dynamic IP address must be configured to be the initiator of IKE Aggressive-mode for Site-Site VPN, while the controller with a static IP address must be configured as the responder of IKE Aggressive-mode.


Platform Tested

Aruba Mobility Controller 3400 running AOS build 38660





Lab Topology

Configuration Notes

In most deployment, the Mobility Controller (MC) are likely installed behind firewalls and Intrusion Detection or Protection devices. The policy on these devices should allow UDP 4500 to pass through as this is required for the VPN traffic.


[1] User Guide : Aruba OS 6.3 User Guide - Working with Site-to-Site VPNs

Version history
Revision #:
1 of 1
Last update:
‎09-17-2014 02:37 PM
Updated by:
Tags (1)
Search Airheads
Showing results for 
Search instead for 
Did you mean: