Controller Based WLANs

 View Only
last person joined: one year ago 

APs, Controllers, VIA
Back to Library

How do I connect a private VLAN over the Internet with security? 

Jul 01, 2014 05:48 PM

Product and Software: This article applies to all Aruba controllers and ArubaOS versions. 

Goal:   
Get IP connectivity for user VLAN 10 (same subnet) on both controllers over the Internet. 

Solution:   
•     Site-to-Site VPN does not allow src-net and dst-net to be on the same VLAN, so only Site-to-Site VPN will not work. 
•     The L2 GRE setup provides the tunnel for a single VLAN, but it does not encrypt the traffic, so it is not suitable for traffic going through the Internet. 
•     L2 GRE over Site-to-Site VPN is a solution for connecting an L2 network over the Internet. 

 

GRE_Tunnel.JPG

Aruba West Configuration 

crypto-local isakmp key changeme address 0.0.0.0 netmask 0.0.0.0 

crypto-local ipsec-map aruba-s2s 100 
  peer-ip 207.201.222.34 
  vlan 1 
  src-net 192.168.1.0  255.255.255.252   -->GRE endpoints are src-net and dst-net of the IPsec tunnel 
  dst-net 192.168.2.0 255.255.255.252 
  set transform-set default-transform    
  pre-connect enable 
  trusted enable 

interface vlan 1   ====>the interface to Internet 
       ip address 24.3.200.4 255.255.255.0 
interface vlan 10      ====> user VLAN 
       ip address 10.60.0.1 255.255.255.0 
interface vlan 100 
       ip address 192.168.1.1 255.255.255.252 
       operstate up       ===>this network is only for GRE endpoints, no physical port assigned, need “operstate up” to bring interface up. 
interface tunnel 100 
         tunnel source vlan 100 
        tunnel destination 192.168.2.1 
        tunnel mode gre 1 
        trusted 
        tunnel vlan 10             
        mtu 1400   =====> Must drop 1500 MTU to a smaller one, otherwise it will not work. Extra GRE +IPSEC header will make the packet size bigger than 1518, and the IPsec tunnel will drop it. 
         

Aruba East Configuration 

crypto-local isakmp key changeme address 0.0.0.0 netmask 0.0.0.0 

crypto-local ipsec-map aruba-s2s 100 
  peer-ip 24.3.200.4 
  vlan 1 
  src-net 192.168.2.0 255.255.255.252 
  dst-net 192.168.1.0 255.255.255.252 
  set transform-set default-transform    
  pre-connect enable 
  trusted enable 

interface vlan 1 
                ip address 207.201.222.34 255.255.255.0 
interface vlan 10 
                ip address 10.60.0.2 255.255.255.0 
interface vlan 100 
                ip address 192.168.2.1 255.255.255.252 
                operstate up 
interface tunnel 100 
         tunnel source vlan 100 
        tunnel destination 192.168.1.1 
        tunnel mode gre 1 
        trusted 
        mtu 1400 
        tunnel vlan 10 

Statistics
0 Favorited
4 Views
0 Files
0 Shares
0 Downloads

Related Entries and Links

No Related Resource entered.