Wired Intelligent Edge

last person joined: 10 hours ago 

Bring performance and reliability to your network with the HPE Aruba Networking Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of your switching devices, and find ways to improve security across your network to bring together a mobile-first solution
Back to discussions
Expand all | Collapse all

Can I route the default-local-master-ipsecmap tunnel through a Site-to-Site tunnel?

This thread has been viewed 3 times

  • 1.  Can I route the default-local-master-ipsecmap tunnel through a Site-to-Site tunnel?

    Posted Jul 11, 2018 12:44 AM

    I have a master controller and a local controller which presently build their default-local-master-ipsecmap VPN tunnel across an IPSEC VPN on a pair of cisco routers at each physical location.  I would like to eliminate the cisco routers and move the Site-to-Site VPN to the Aruba controllers.  Both Aruba controllers act as the Internet gateway and do NAT etc for their respective locations.  They each connect directly to the Internet at each location.  If I make both controllers standalone masters, I can get Site-to-Site VPN to work over the Internet and the two sites' LAN's can reach eachother fine.  But when I add the Master-Local config back in by setting the masterip on the local controller, the default-local-master-ipsecmap tunnel messes things up.  I can't seem to figure out how to tell it to build the master-local VPN through the existing Site-to-Site VPN.  (Tunnel in a tunnel). I've tried making loopbacks and extra vlans forced into up state in order to source the master-local tunnel to not conflict witht the LAN's source/Destinations without any luck.  I know that the Master-Local VPN is already a Site-to-Site VPN and that I could build that directly across the Internet and then add static routes that point the LAN's at eachother via the "default-local-master-ipsecmap tunnel".  However, I tried that and couldnt because although the local controller has a "default-local-master-ipsecmap tunnel" tunel to point a route at, the Master controller does not and I am not sure how to make a static route on the Master to point back towards the LAN at the local location as a result.  Also, is it safe to use the Master-Local VPN across the Internet directly?  I have no idea what VPN settings it uses or how secure it is since its basically a baked in VPN config.   Any tips would be helpful!  I couldnt seem to find any other posts that explain this exact scenario with any solutions.  If you want me to start adding more info like AOS ver and platforms etc, I can but I wanted to start off with a more of a conceptual question before just getting super technical.  Thanks!!