Wireless Access

I've been pouring over documentation trying to confirm the details on this, but I haven't found a definitive answer. I have two controllers, one is going to be a master and the other a local. Both are connected directly to the internet with a public IP address on VLAN 1. When I configure the local controller on the master and the master on the local, do I have to use the actual controller's management IP address or do I have to use the public IP address.

192.168.1.1 (Mgmt IP) - Master Controller - <PUBLIC IP> [INTERNET] <PUBLIC IP> Local Controller - 192.168.2.1 (Mgmt IP)

Do the master and local have LAN connectivity i.e. can the local controller ping the management IP of the master and vice-versa. If so, use the management IP.  If the Local and master can only communicate through the WAN , then use the Public IP. 

If you have master redundancy then use the VRRP IP between the masters as master IP.

Regards,

Sathya

Yes, before I change any of the master/local configuration, I am able to ping the controllers from eachother on their public IP address. Once I the one to a local and configure the IPSec keys on either controller, I can no longer ping eachother and the master-local relationship fails.

Did you make sure the proper ports are allowed through your firewalls?

If the controllers can ping eachother on the internal LAN side (mgmt IP as you put it), then use that address as the one for master/local connectivity.  If not, then use the public IPs.  If you are going to do this, make sure you have the appropriate ports open between the two controllers:

IKE (UDP 500) - 3.x and later

ESP (protocol 50) - 3.x and later

NATT (UDP 4500) - 3.x and later

PAPI (UDP & TCP port 8211)

IP-IP (protocol 94) - For IP mobility between master-local and local-local

I'd also recommend you setup a firewall policy on the controller to protect the interface that is direclty on the public Internet.

This is in a lab environment right now, so there is no firewall between the two. The inside IP's will not be able to ping controller to controller because there is no routing in palce right now. The strange thing is that when both controllers are master's adn there is no local controller configuration, I can ping public to public with no problem. As soon as I configure one as a local controller and configure the IPSec keys, I can no longer ping the public IP addresses.

When I do a "show log security all", I'm seeing the following logs....

Apr 2 10:31:52 :103060:  <DBUG> |ike|  192.168.22.1:4500-> ike_phase_1.c:ike_phase_1_responder_recv_SA:1000 Ike Phase 1 received SA
Apr 2 10:31:52 :103060:  <DBUG> |ike|  192.168.22.1:4500-> ike_phase_1.c:ike_phase_1_recv_ID:2097 received IKE ID Type 11 exchange:192.168.22.1
Apr 2 10:31:52 :103060:  <DBUG> |ike|  192.168.22.1:4500-> ike_phase_1.c:ike_phase_1_recv_ID:2112 got IKE KEY-ID, got remote-switch-ip:192.168.22.1-mask:255.255.255.255
Apr 2 10:31:52 :103060:  <DBUG> |ike|  192.168.22.1:4500-> ike_phase_1.c:ike_phase_1_recv_ID:2166 Master-Local
Apr 2 10:31:52 :103017:  <INFO> |ike| Could not validate IKE Phase 1 ID of peer for Master-Local VPN
Apr 2 10:31:52 :103063:  <DBUG> |ike|  192.168.22.1:4500-> exchange_run: step 0 done:0 handler failed

I've re-entered the key a dozen times. I've completed whiped & re-configured both controllers. I've disabled control plane security. I'm at a loss now as to why I can't get these two controllers to talk.

---

@Clayman wrote:

When I do a "show log security all", I'm seeing the following logs....

 

Apr 2 10:31:52 :103060:  <DBUG> |ike|  192.168.22.1:4500-> ike_phase_1.c:ike_phase_1_responder_recv_SA:1000 Ike Phase 1 received SA
Apr 2 10:31:52 :103060:  <DBUG> |ike|  192.168.22.1:4500-> ike_phase_1.c:ike_phase_1_recv_ID:2097 received IKE ID Type 11 exchange:192.168.22.1
Apr 2 10:31:52 :103060:  <DBUG> |ike|  192.168.22.1:4500-> ike_phase_1.c:ike_phase_1_recv_ID:2112 got IKE KEY-ID, got remote-switch-ip:192.168.22.1-mask:255.255.255.255
Apr 2 10:31:52 :103060:  <DBUG> |ike|  192.168.22.1:4500-> ike_phase_1.c:ike_phase_1_recv_ID:2166 Master-Local
Apr 2 10:31:52 :103017:  <INFO> |ike| Could not validate IKE Phase 1 ID of peer for Master-Local VPN
Apr 2 10:31:52 :103063:  <DBUG> |ike|  192.168.22.1:4500-> exchange_run: step 0 done:0 handler failed

 

I've re-entered the key a dozen times. I've completed whiped & re-configured both controllers. I've disabled control plane security. I'm at a loss now as to why I can't get these two controllers to talk.

---

Clayman,

I couple things here that are important:

- Create a specific IPSEC key on the master for the public ip address of the local:  Under Configuration> Network > Controller > System Settings, look for the Local Controller IPSEC keys parameter. There is probably one for 0.0.0.0. Create one specifically for the public address of the local controller. This is important, because it will determine routing.

- Once you setup the master/local relationship, don't expect the controllers to be able to ping each other.

- Create a route on the local controller pointing to the ipsec map for any subnets that you want clients on the local to reach:

config t
ip route 10.0.0.0 255.255.0.0 ipsec nameofipsecmap

HINT: type show ip route to see the name of the ipsec map

Do the same thing on the master controller for routes that are behind the local controller.

You should be able to create a VLAN on the local controller that is fully routable and then ping the ip address of that from the master.  

If you feel you cannot ping an address from one controller to the other, use the "show datapath session table <ip address>" command on the opposite side to see if you are seeing the pings.

Thanks for the info. The primary issue I'm having at the moment is just getting the local controller to associate with the master. Whats funny is that I've done this in a production environment severeal times without issue. In my test lab, I've already added the local's public IP & IPsec key. I've also entered the master's IP on the local & the same IPsec key.

Here is what I'm seeing from the local:

(house2-local) #show master-local stats

Missed -> HB Resp from Master
-----------------------------
IP Address    HB Req      HB Resp     Cfg Terminate  Peer Reset  Total Missed  Last Sent Missed  Last Synced/Last Missed
----------    ------      -------     -------------  ----------  ------------  ----------------  -----------------------
192.168.22.1  0           0           0              22          221           221               Pending/Tue Apr  3 13:59:48 2012

When I run the same command from the master, it is blank.

Ok...finally figured this out. In case anyone is interested, here is what it was. The two controllers were seperated by a router acting as an internet cloud. The /30 addresses connecting the controllers to the "Internet" were the "public" IP's. The controller's IP addresss was set to VLAN 2, which was one of hte internal networks. As a result, the two controllers couldn't build an IPSEC tunnel because the controller's IP address wasn't reachable. I had to make the controller's IP VLAN 1, which is the "public" IP. Once I changed that, they were able to communicate.