Wireless Access

Hi Airheads friends,

Far as i known a ArubaOS Mobility Master communicatie with the physical controllers based on IPSEC. We have to deploy a ArubaOS Mobility Master in a remote datacenter. At the office we have two physical Mobility Controllers.

Both location only have a WAN connection (there is no vpn between the datacenter and the remote office at this moment). 

Because the MM and MC communicatie IPSEC by themself it should be possible to communicatie over the internet WAN but we should make some nat rules on the firewalls.

Questions:

1. Is it ok to communicatie the IPSEC from the MM to the MC over the WAN? Probably the answer is yes.

2. Which is initiatie the IPSEC connection, the MM or the MC's?

1. Probably technically feasible. You might want to look into the VPNC/Branch use-case and use 2x controllers as MGMT-VPNCs in your DC. Essentially all your controllers out in the branches would terminate their IPSec on those VPNCs and connect through them to your Mobility Master. Benefit of this setup: you can also use the IPSec for user/data traffic and not only Control traffic to the MM.

2. Initiator is always the MC. You can check this out by looking at your IPSec SA on the MM:

show crypto ipsec sa


IPSEC SA (V2) Active Session Information
-----------------------------------
Initiator IP                              Responder IP                              SPI(IN/OUT)        Flags Start Time        Inner IP
------------                              ------------                              ----------------   ----- ---------------   --------
192.168.65.98                             192.168.65.95                             cff64800/f2fb4d00  UT2   Jun 15 13:48:52     -
192.168.65.99                             192.168.65.95                             50f17500/2207c200  UT2   Jun 15 13:59:51     -

Hi Owehrli,

Thanks for your explanation, is very appreciated.

The MC user/data traffic is only needed local in the branche offices, only management traffic is go the DC vMM.

• In the MC on the branche office i like to configure the WAN IP of the datacenter.
• In the MM on the datacenter i like to configure the WAN IP of the branche office.

Because the IPSEC is initiate on the MC i have to configure a destination-nat to the MM on the firewall in the datacenter. see attachement for graphical explanation :)

We do not intend to place extra MC in the datacenter.

Are iam correct ? Should be work right ?

I don't see any reason why not. Should be working as long as you make the internal MM IP accessible for your MC from wherever they connect to the internet to initiate the IPSec connection.

Please share your experiences once you implemented this, might be interesting for others as well!