Controllerless Networks

Reply
Highlighted
Occasional Contributor II

how can i get the IPsec preshared key of the master controller

Hi all,

i`m new to aruba world ,we have a master controller (192.168.1.148)that`s running fine and i need to set up a local controller(192.168.1.149) and configure redundancy .the problem is that i don`t know the ipsec preshared key that is configured on the master controller . i tried to use `encrypt disable` but i didn`t know where to look on the running config :

i have the below config on the master :

Crypto Map "default-psk-redundant-master-ipsecmap" 9999 ipsec-isakmp

Crypto Map Template"default-psk-redundant-master-ipsecmap" 9999

                 IKE Version: 1

                 IKEv1 Policy: All

                 Security association lifetime seconds : [300 -86400]

                 Security association lifetime kilobytes: N/A

                 PFS (Y/N): N

                 Transform sets={ default-ml-transform }

                 Peer gateway: 192.168.1.149

                 Interface: VLAN 0

                 Source network: 192.168.1.148/255.255.255.255

                 Destination network: 192.168.1.149/255.255.255.255

                 Pre-Connect (Y/N): Y

                 Tunnel Trusted (Y/N): Y

                 Forced NAT-T (Y/N): N

                 Uplink Failover (Y/N): N

                 Force-Tunnel-Mode (Y/N): N

                 IP Compression (Y/N): N

 

how can i get the preshared key from the master ? if i need to use `encrypt enable `which part of the config i need to look to ?thank you in advance

MVP Guru

Re: how can i get the IPsec preshared key of the master controller

You are correct on the 'encrypt disable' to see the key, however you will need to look for the 'localip' command to find the key. Just a note, the Master-Local relationship can also be configured using MAC's of each device as well.

 

https://www.arubanetworks.com/techdocs/ArubaOS_61/ArubaOS_61_CLI/localip.htm


ACMP, ACSA, ACDX #985
If my post addresses your query, give kudos:)
Occasional Contributor II

Re: how can i get the IPsec preshared key of the master controller

hi,

Thank you for your answer however when i do `encrypt disable` then `show localip` i got nothing :

(WW-CTRLR-BCKUP) #encrypt disable
(WW-CTRLR-BCKUP) #show localip


Local Switches configured by Local Switch IP
---------------------------------------------
Switch IP address of the Local Key
------------------------------ ---

 

MVP Guru

Re: how can i get the IPsec preshared key of the master controller

If you have no locals configured already, just create a new shared key and
use that :)

ACMP, ACSA, ACDX #985
If my post addresses your query, give kudos:)
New Contributor

Re: how can i get the IPsec preshared key of the master controller

Occasional Contributor II

Re: how can i get the IPsec preshared key of the master controller

hi zalion0,

thank you for your answer but there is already a site to site vpn configured between controllers so there must be a preshared key configured isn`t ? my question is how to get that key instead of creating new one ? if that possible 

Occasional Contributor II

Re: how can i get the IPsec preshared key of the master controller

hi Zalion0 ,

just to add one more thing ,one i check the site to site vpn configuration between the two controllers ,i can see the below :

(WW-CTRLR-BCKUP) #show crypto-local ipsec-map

Crypto Map Template"default-psk-redundant-master-ipsecmap" 9999
IKE Version: 1
IKEv1 Policy: All
Security association lifetime seconds : [300 -86400]
Security association lifetime kilobytes: N/A
PFS (Y/N): N
Transform sets={ default-ml-transform }
Peer gateway: 192.168.1.149
Interface: VLAN 0
Source network: 192.168.1.148/255.255.255.255
Destination network: 192.168.1.149/255.255.255.255
Pre-Connect (Y/N): Y
Tunnel Trusted (Y/N): Y
Forced NAT-T (Y/N): N
Uplink Failover (Y/N): N
Force-Tunnel-Mode (Y/N): N
IP Compression (Y/N): N

 

however when i try to display the preshared key for that vpn ,i got nothing :

(WW-CTRLR-BCKUP) #show crypto-local isakmp key


ISAKMP Local Pre-Shared keys configured for ANY FQDN
-----------------------------------------------------
Key Representation
--- --------------

ISAKMP Local Pre-Shared keys configured by FQDN
------------------------------------------------
FQDN of the host Key Representation
---------------- --- --------------

ISAKMP Local Pre-Shared keys configured by Address
---------------------------------------------------
IP address of the host Subnet Mask Length Key Representation
---------------------- ------------------ --- --------------

ISAKMP Global Pre-Shared keys configured by Address
----------------------------------------------------
IP address of the host Subnet Mask Length Key Representation
---------------------- ------------------ --- --------------

 

so i really not sure what to do now ,will configuring new preshared key using the localip command will overwrite the prehared key configured between the two controller and solve the connectivity issue ? thank you in advance for your answer

 

MVP Guru

Re: how can i get the IPsec preshared key of the master controller

These might not be using a PSK for the Master-Local IPSEC, you can use a MAC (based on cert as well). So it would be worth checking this too. This command is run from the master.

 

(Aruba620) #show running-config | include local-factory-cert
Building Configuration...
local-factory-cert local-mac "xx:xx:xx:xx:xx:xx"
local-factory-cert local-mac "xx:xx:xx:xx:xx:xx"

To confirm you have Locals attached, you can also run the following:

 

#show switches

 Just a note, looking at your Crypto Map, this is showing as Master Redundancy (e.g Master/Master Backup) as opposed to Master-Local

 

Spoiler
Crypto Map Template"default-local-master-ipsecmap-xx:xx:xx:xx:xx:xx" 9999

Again, this is only based on snippets of config.


ACMP, ACSA, ACDX #985
If my post addresses your query, give kudos:)
Occasional Contributor II

Re: how can i get the IPsec preshared key of the master controller

Hi Zalion0,

thank you for your answer but  they are using IPSec Key for authentication because that`s checked on the web GUI of the master controller .

 but i excuted the commands you provide and there was no certificate using :
(WW-CTRLR-BCKUP) (config) #show running-config | include local-factory-cert
Building Configuration...
(WW-CTRLR-BCKUP) (config) #show switches

All Switches
------------
IP Address Name Location Type Model Version Status Configuration State Config Sync Time (sec) Config ID
---------- ---- -------- ---- ----- ------- ------ ------------------- ---------------------- ---------
192.168.1.148 WW-CTRLR-BCKUP Building1.floor1 master OAW-4450 6.5.4.9_67129 up UPDATE SUCCESSFUL 0 2

Total Switches:1
 
what do you suggest ? do i confifure new local preshared key using the local ip command or there is something else we can do ?thank you in advance
MVP Guru

Re: how can i get the IPsec preshared key of the master controller

Based on the show switches, you provided there is no locals connected.


This will provide you further information.

 

https://community.arubanetworks.com/t5/Controller-Based-WLANs/Explanation-about-quot-show-switches-summary-quot-command-and-it/ta-p/215239

 

On the other controller, if you run show switches do you see the same output?

 

If you cannot remember the key, then you will need to change it and also change it on any local controllers.

 

You can run the below command on each of the controllers to identify if it is a Master, Master Standby or a Local

 

#show roleinfo

ACMP, ACSA, ACDX #985
If my post addresses your query, give kudos:)
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: