Security

last person joined: 22 hours ago 

Forum to discuss Enterprise security using HPE Aruba Networking NAC solutions (ClearPass), Introspect, VIA, 360 Security Exchange, Extensions, and Policy Enforcement Firewall (PEF).
Back to discussions
Expand all | Collapse all

IPsec between CPPM nodes

This thread has been viewed 1 times

  • 1.  IPsec between CPPM nodes

    Posted Nov 18, 2017 06:19 AM

    Hello community,

     

    I'm planning to setup a cluster with two CPPM nodes. These nodes will be located in two different sites with cluster sync happen over the Internet, so I would like to protect cluster traffic using IPsec tunnel (available in CPPM configuration).

     

    What concerns me is that will CPPM forward all their traffic (including LDAP query, NTP synchronization, RADIUS response...) through this tunnel? Will it be smart enough (or by design) to only include cluster traffic in the tunnel, and exclude all others?

     

    Thank you, 



  • 2.  RE: IPsec between CPPM nodes

    EMPLOYEE
    Posted Nov 18, 2017 06:42 AM

    Have you read the ClearPass ipsec tech note on the page here?

    https://support.arubanetworks.com/Documentation/tabid/77/DMXModule/512/Default.aspx?EntryId=7961

     

    The host to host connection is what you are looking for.  It should only encrypt traffic between the CPPM devices.  Since NTP, Radius and LDAP point to other hosts, they should not go over the tunnel.



  • 3.  RE: IPsec between CPPM nodes

    Posted Nov 18, 2017 06:57 AM

    Hi Colin,

     

    Yes, I've read it. But it doesn't clearly state how CPPM will handle which traffic going through the tunnel, just how to set things up. 

     

    In summary, I only need to create the tunnel per the steps documented in that tech note, and everything between CPPM nodes will be protected. All other traffic will not be impacted. Is that correct?

     

    Thank you,



  • 4.  RE: IPsec between CPPM nodes

    EMPLOYEE
    Posted Nov 18, 2017 06:59 AM

    If you configure the instructions under "host to host", only traffic between the hosts should be encrypted.



  • 5.  RE: IPsec between CPPM nodes

    Posted Nov 18, 2017 07:03 AM

    Hi,

     

    Thank you for your quick reply. There's one more thing I want to clarify. There will be a NAT device between these nodes. Would the connection being successfully established?

     

    Thank you,



  • 6.  RE: IPsec between CPPM nodes

    EMPLOYEE
    Posted Nov 18, 2017 07:08 AM

    You would need to do NAT translation and allow ipsec for that to work.  The destination address must be answerable by the destination device.



  • 7.  RE: IPsec between CPPM nodes

    Posted Nov 20, 2017 01:39 AM

    Hi,

     

    Looks like we have to join cluster first before setting up IPsec tunnel between CPPM nodes. When I tried doing it the other way around (bring up IPsec first), the cluster joining process simply failed and it even reset the subscriber to factory default (which means deleting Policy Manager license on the subscriber). Any ideas?

     

    Thank you,