Product and Software: This article applies to all Aruba controllers and ArubaOS versions. Goal: Get IP connectivity for user VLAN 10 (same subnet) on both controllers over the Internet. Solution: • Site-to-Site VPN does not allow src-net and dst-net to be on the same VLAN, so only Site-to-Site VPN will not work. • The L2 GRE setup provides the tunnel for a single VLAN, but it does not encrypt the traffic, so it is not suitable for traffic going through the Internet. • L2 GRE over Site-to-Site VPN is a solution for connecting an L2 network over the Internet.
Aruba West Configuration crypto-local isakmp key changeme address 0.0.0.0 netmask 0.0.0.0 crypto-local ipsec-map aruba-s2s 100 peer-ip 207.201.222.34 vlan 1 src-net 192.168.1.0 255.255.255.252 -->GRE endpoints are src-net and dst-net of the IPsec tunnel dst-net 192.168.2.0 255.255.255.252 set transform-set default-transform pre-connect enable trusted enable interface vlan 1 ====>the interface to Internet ip address 24.3.200.4 255.255.255.0 interface vlan 10 ====> user VLAN ip address 10.60.0.1 255.255.255.0 interface vlan 100 ip address 192.168.1.1 255.255.255.252 operstate up ===>this network is only for GRE endpoints, no physical port assigned, need “operstate up” to bring interface up. interface tunnel 100 tunnel source vlan 100 tunnel destination 192.168.2.1 tunnel mode gre 1 trusted tunnel vlan 10 mtu 1400 =====> Must drop 1500 MTU to a smaller one, otherwise it will not work. Extra GRE +IPSEC header will make the packet size bigger than 1518, and the IPsec tunnel will drop it. Aruba East Configuration crypto-local isakmp key changeme address 0.0.0.0 netmask 0.0.0.0 crypto-local ipsec-map aruba-s2s 100 peer-ip 24.3.200.4 vlan 1 src-net 192.168.2.0 255.255.255.252 dst-net 192.168.1.0 255.255.255.252 set transform-set default-transform pre-connect enable trusted enable interface vlan 1 ip address 207.201.222.34 255.255.255.0 interface vlan 10 ip address 10.60.0.2 255.255.255.0 interface vlan 100 ip address 192.168.2.1 255.255.255.252 operstate up interface tunnel 100 tunnel source vlan 100 tunnel destination 192.168.1.1 tunnel mode gre 1 trusted mtu 1400 tunnel vlan 10
© Copyright 2024 Hewlett Packard Enterprise Development LPAll Rights Reserved.