Introduction :
There are use cases, where WLAN administrator would like to delete the inactive VPN client entries from the user-table to check if they re-establish and form IPSec again.
Environment :
This article applies to Aruba Mobility Controller running any version of ArubaOS versions.
Configuration Steps :
When a VPN client establishes an IPSec tunnel, it forms IN and OUT tunnels in the datapath tunnel table, as shown below:
(Aruba) #show datapath tunnel table
Datapath Tunnel Table Entries
-----------------------------
Flags: E - Ether encap, I - Wi-Fi encap, R - Wired tunnel, F - IP fragment OK
W - WEP, K - TKIP, A - AESCCM, G - AESGCM, M - no mcast src filtering
S - Single encrypt, U - Untagged, X - Tunneled node, 1(cert-id) - 802.1X Term-PEAP
2(cert-id) - 802.1X Term-TLS, T - Trusted, L - No looping, d - Drop Bcast/Mcast,
D - Decrypt tunnel, a - Reduce ARP packets in the air, e - EAPOL only
C - Prohibit new calls, P - Permanent, m - Convert multicast
n - Convert RAs to unicast(VLAN Pooling/L3 Mobility enabled), s - Split tunnel
V - enforce user vlan(open clients only)
H - Standby (HA-Lite)
# Source Destination Prt Type MTU VLAN Acls BSSID Decaps Encaps Heartbeats Cpu QSz Flags
------ -------------- -------------- --- ---- ---- ---- ------------------- ----------------- ---------- ---------- ---------- --- --- ----- -
12 SPIC00F6200out 192.168.112.6 50 IPSE 1500 0 routeDest 0000 0 1077
11 192.168.113.2 192.168.112.6 47 1 1200 0 0 0 2 0 00:00:00:00:00:00 789 20 0 23 0 TEFPR
13 SPIE1096500 in 192.168.113.2 50 IPSE 1500 0 routeDest 0000 1077 0
So, if an administrator want to tear down the IPSec sessions, below commands would clear it off:
(Aruba) # clear crypto ipsec sa peer <Peer IP address>
Once the IPSec tunnels are cleared, the VPN entries from the user-table would be deleted subsequently.
Verification :
To see if the VPN entries still exists, one can use the command "Show user-table verbose | include <Initiator ip>"