Controllerless Networks

Reply
Occasional Contributor II

Re: [Tutorial] Building a VPN from a IAP Cluster to a Wireless Contoller

 

Carlos,

 

Update to my last post:

 

I can ping the internal interfaces on my controller which I'm assuming is through the VPN, since the TOR I show in the diagram cannot route to the other VLANs.  The only way I could ping is if I was on the controller itself.  (I fixed a netmask setting"

However, like you mentioned, the vpn does not show up in the "show iap table", so somethin gis not 100% working.

It still shows as "up" in the IAP GUI.

 

Attached is the setup.  

 

Thanks,

Colin

 

 

 

Re: [Tutorial] Building a VPN from a IAP Cluster to a Wireless Contoller

If it true that you can ping to the internal ip of the controller then it should be okay....
let me try to reproduce this with the same firmwares.... To see if for some reason it does not show in the show iap table

cheers
carlos
----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Occasional Contributor II

Re: [Tutorial] Building a VPN from a IAP Cluster to a Wireless Contoller

Carlos,

 

Any luck in reproducing the issue on your end?  

 

I changed my setup slightly, just swapped the firewall and TOR switch i showed in the diagram.  So now it goes IAP >TOR > Firewall >controller

 

Still have the exact same behavior.  

 

I'm probbaly going to have to open a case with Aruba Support.   If you do get the time to try this out, I'd still be interested in your results.

 

Thanks,

Colin 

 

Re: [Tutorial] Building a VPN from a IAP Cluster to a Wireless Contoller

Sorry i have been really busy at work... ill try this weekend!

 

Cheers

Carlos

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp

Re: [Tutorial] Building a VPN from a IAP Cluster to a Wireless Contoller

Well i just did it again with 6.3 on controller and 6.3.1.2-4.0.0.2_41506 on the instant

 

It works just fine

Just that i notice that the show iap table command is no more!

 

You can check with show crypto ipsec sa

 

(Office_Alternetworks) #show  crypto ipsec sa

 
IPSEC SA (V2) Active Session Information
-----------------------------------
Initiator IP     Responder IP     SPI(IN/OUT)        Flags Start Time        Inner IP
------------     ------------     ----------------   ----- ---------------   --------
172.16.2.30      172.16.3.221     1d540400/763fa300  UT2   Feb  9 19:22:07   172.16.2.30      
172.16.3.254     172.16.3.221     c8479e00/6b5bf00   UT2   Feb  9 18:55:45   172.16.3.254     
190.218.207.8    172.16.3.221     75894400/72c53700  UT2   Feb  9 19:23:17   172.16.3.124     

Flags: T = Tunnel Mode; E = Transport Mode; U = UDP Encap
       L = L2TP Tunnel; N = Nortel Client; C = Client; 2 = IKEv2

Total IPSEC SAs: 3

(Office_Alternetworks) #

 the  190.218.207.8 is my home ip

 

you can also check this:

you should be able to see the iap role in the user table

 

Office_Alternetworks) #show user-table 

Users
-----
    IP              MAC            Name              Role           Age(d:h:m)  Auth  VPN link       AP name            Roaming   Essid/Bssid/Phy                    Profile                 Forward mode  Type   Host Name
----------     ------------       ------             ----           ----------  ----  --------       -------            -------   ---------------                    -------                 ------------  ----   ---------
190.218.205.8  00:00:00:00:00:00                     logon          00:00:18    VPN                  N/A                                                                                     tunnel               
172.29.0.8     00:24:2c:9a:68:5a                     authenticated  50:03:55                         AP_93H_Datacenter  Wireless  Alternetworks/6c:f3:7f:c8:39:e0/g  Alternetworks-aaa_prof  tunnel        Win 7  
172.16.3.124   00:00:00:00:00:00  00:0b:86:8f:6a:1a  iaprole        00:00:10    VPN   190.218.207.8  N/A                                                             default-iap             tunnel               

User Entries: 3/3
 Curr/**bleep** Alloc:5/2065 Free:17/2060 Dyn:22 AllocErr:0 FreeErr:0

(Office_Alternetworks) #

 The client that got the iaprole is my instant AP that is doing the vpn tunnel to the office.

 

i really dont know why you dont see this on your deployment... :( it working here just fine... and i get all the output i expecting... im not missing anything...

 

Cheers

Carlos

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp

Re: [Tutorial] Building a VPN from a IAP Cluster to a Wireless Contoller

Ah yeah they also changed how you added a remote whiteist on the 6.3 now the commmand is

(Office_Alternetworks) #whitelist-db rap add mac-address 00:0b:86:8f:6a:1a ap-group iaprole

good review though... now i know the new commands in 6.3 :) 

 

Cheers

Carlos

----------------------------------------------------
Product Manager - Aruba Networks
Alternetworks Corp
Occasional Contributor II

Re: [Tutorial] Building a VPN from a IAP Cluster to a Wireless Contoller

Carlos,

 

Thanks for the quick response. 

 

I don't see any issues with my setup, except for the lack of anything showing up in the "show iap table"

I checked the 6.3 documents.  Both the user guide and cli guide show that this command is supported.  In fact, 6.3 adds to the command and now has a "show iap table long"

 

I do see some intermittent chaning of the inner IP address from the dhcp pool. 

In your opinon, is this normal? 

To me if the ip changes, then that would signify a VPN failure and it gets reestablished again on the next ip address in the range.  If so, then my VPN tunnel may not be stable.

 

My "show user-table" and "show crypto ipsec sa" are showing similar information to yours. 

 

I'll continue with my testing assuming that the VPN is up and running.  I'll also follwoing up with Aruba Support to see if I can't get to the bottom of the "show iap table"  issue.

 

Regards,

Colin

 

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: