Hi!
I´m setting up a lab scenario with a central controller with UDP 4500 only port forwarded to it from the public facing firewall and a branch office controller with internet only access that should connect as a local to the central master. I think I´m missing something simple so please help me take an extra look :)
Configuration on master:
local-factory-cert local-mac "00:0b:86:xx:xx:xx"
controller-ip 192.168.230.3 (this one has UDP 4500 port forwarded to it from 1.1.1.1)
crypto isakmp udpencap-behind-natdevice enable
Configuration on brach local:
masterip 1.1.1.1 ipsec-factory-cert master-mac-1 00:0b:86:yy:yy:yy
!
interface vlan 4094 (internetfacing accessport)
ip address dhcp-client
ip nat outside
!
interface vlan 5
ip address 172.22.5.10 255.255.255.0
ip nat inside
!
controller-ip vlan 5
I can see successful isapmp SA and ipsec SA on both controllers and the routes are successfully implemented in the IPSEC maps.
On Master:
C 172.22.5.10/32 is an ipsec map default-local-master-ipsecmap-00:0b:86:xx:xx:xx
On Local:
C 192.168.230.3/32 is an ipsec map default-local-master-ipsecmap
If I ping from the master to 172.22.5.10 I can see this in the datapath session table of the local:
192.168.230.3 172.22.5.10 1 55 2048 0/0 0 0 1 tunnel 10 8 1 120 FSCI
172.22.5.10 1.1.1.1 1 58 0 0/0 0 0 1 tunnel 10 6 1 120 FNI
(Also in the datapath I see the local trying to answer PAPI traffic back to the public IP of 1.1.1.1 instead of the masters controller-ip which I think it should be)
If I ping from the local to the 192.168.230.3 address I see nothing in the datapath of the master.
In the logs of the local I just see that it tries to send things directly to the public IP of the master, shouldn´t it understand that it needs to communicate through the tunnel?
Jul 14 15:33:21 cfgm[3468]: <307025> <DBUG> |cfgm| local:Sending heartbeat message to MMS
Jul 14 15:33:21 cfgm[3468]: <307103> <INFO> |cfgm| send_tcp_hb_master 196 Connection to the master failed, Will retry socket ID 20 state CONFIG_SOCKET_NOTCONNECTED
Jul 14 15:33:21 cfgm[3468]: <307240> <DBUG> |cfgm| Connecting the Local CFGM socket, state 1
Jul 14 15:33:21 cfgm[3468]: <307242> <INFO> |cfgm| Failed to connect to the Master (1.1.1.1),Configuration socket will try again: Connection timed out
Jul 14 15:33:21 cfgm[3468]: <399814> <DBUG> |cfgm| Checking if the regulatory file is modified
Jul 14 15:33:21 cfgm[3468]: <399814> <DBUG> |cfgm| Sending the heartbeat message. Not Responding counter=7
Jul 14 15:33:21 cfgm[3468]: <399815> <INFO> |cfgm| Cannot connect to the master 1.1.1.1 error Connection timed out errno 145 socket id 20
I´ve also put up a local using certificate based authentication on the same subnet as the master and it works like a charm. I´d like this to work with only the UDP4500 port forward.
Please help me put some extra eyes on this dear Airheaders :) I´m running ArubaOS 6.4.4.8
Cheers,