Wireless Access

last person joined: yesterday 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

APs Creating IPSEC Tunnel for Data Plane Traffic

This thread has been viewed 2 times

  • 1.  APs Creating IPSEC Tunnel for Data Plane Traffic

    Posted Oct 06, 2016 09:16 AM

    We have several Aruba 125 APs deployed that connect back to a Mobility Controller.  We have noticed that all of the AP create an IPSEC tunnel back to the controller and send all data over that tunnel.  All of our locations are either on a site-to-site VPN connection or MPLS connection back to our datacenter and we don't need to encrypt the traffic from the AP to the controller.  I have looked for hours and can't find wher I can just make the APs act as normal APs and not encrypt the data.  Can anyone lead me in the right direction?  I'm new to Aruba and thanks in advance for any help.



  • 2.  RE: APs Creating IPSEC Tunnel for Data Plane Traffic

    EMPLOYEE
    Posted Oct 06, 2016 09:18 AM
    They're likely deployed as remote APs instead of campus APs. You can either
    reprovision them as campus APs or potentially move to the decrypt-tunnel
    forwarding mode.


  • 3.  RE: APs Creating IPSEC Tunnel for Data Plane Traffic

    Posted Oct 06, 2016 09:28 AM

    I'm extreamly new to Aruba. Where could I find more information as to how to reprovision them or move them to the decrypt-tunnel
    forwarding mode?



  • 4.  RE: APs Creating IPSEC Tunnel for Data Plane Traffic

    EMPLOYEE
    Posted Oct 06, 2016 09:31 AM
    Do you have an Aruba partner you work with? There are a few considerations
    before doing this and we're not familiar with your network.


  • 5.  RE: APs Creating IPSEC Tunnel for Data Plane Traffic

    Posted Oct 06, 2016 09:34 AM

    Unfortunately no. We inherited these via an acquisition.  The driver for this is that we have WAN accelerators in line and we can’t optimize the wireless traffic going over the WAN because it’s encrypted. 



  • 6.  RE: APs Creating IPSEC Tunnel for Data Plane Traffic

    EMPLOYEE
    Posted Oct 06, 2016 10:25 AM
    Unless your wan accelerator can deencapsulate GRE traffic, you will have the same issue if you change it to a campus AP.


  • 7.  RE: APs Creating IPSEC Tunnel for Data Plane Traffic

    Posted Oct 06, 2016 10:27 AM

    Is ther a way to make them bridge traffic and not tunnel through the controller?



  • 8.  RE: APs Creating IPSEC Tunnel for Data Plane Traffic

    EMPLOYEE
    Posted Oct 06, 2016 10:59 AM
    Yes, but there are a few factors you need to be aware of

    - bridging is not available for captive portal SSIDs
    - Users will typically be placed on the se subnet as the access points. If you need to have them on a different subnet you will need to configure a trunk on the access points' switch port.


  • 9.  RE: APs Creating IPSEC Tunnel for Data Plane Traffic

    Posted Oct 06, 2016 11:07 AM

    That's not an issue as we have a flat VLAN at these locations and don't use captive portal.  Can you point me in the right direction as to where I can find information as to how to configure them as a bridge? 



  • 10.  RE: APs Creating IPSEC Tunnel for Data Plane Traffic

    EMPLOYEE
    Posted Oct 06, 2016 11:09 AM
    In the virtual ap profile for that WLAN, you need to set the forwarding mode to bridged. You also need to set the default AP VLAN in the ap system profile to the same VLAN as in the virtual ap profile so that it does not tag the traffic.