Wireless Access

Hi,

I have a problem with aruba RAP 205H IPSec tunnel while using aruba ACR license and spesific IKE Policy.
So, ACR license is installed to 7010 controller and I have configured the spesific IKE Policy with these setting

IKE V2
Encryption AES256
Hash Algorithm SHA2-256-128
Authentication RSA
Diffie Hellmann Group Group20
PRF PRF-HMAC-SHA256
Life Time Default

I have noticed that if I use Hash Algorithm SHA2-256-128 insted of SHA1-96 the RAP cannot build the IPSec tunnel to the controller.
Also, if I use PRF-HMAC-SHA256 insted of PRF-HMAC-SHA1 the RAP cannot build the IPSec tunnel to the controller.

Am I missing something there or is there some limitations that RAP 205H cannot operate IPSec tunnel with those setting?

Here is a working one:
(nuuskamuikkunen) #show crypto ipsec sa peer 81.20.229.136

 Initiator IP: 81.20.229.136
 Responder IP: 10.206.134.131
 Initiator: No
 SA Creation Date: Thu Nov 30 13:53:52 2017
 Life secs: 7200
 Exchange Type: IKE_SA (IKEV2)
 Phase2 Transform:Encryption Alg: AES 256 Authentication Alg: SHA1
 Encapsulation Mode Tunnel
 IP Compression Disabled
 PFS: no
 IN SPI: ABE98500, OUT SPI: 98B58D00
 CFG Inner-IP 1.1.1.24
 Responder IP: 10.206.134.131


(nuuskamuikkunen) #show crypto isakmp sa peer 81.20.229.136

 Initiator IP: 81.20.229.136
 Responder IP: 10.206.134.131
 Initiator: No
 Initiator cookie:986718f9510323dd Responder cookie:793b2369bf0e2cdb
 SA Creation Date: Thu Nov 30 13:53:52 2017
 Life secs: 28800
 Initiator Phase1 ID: CN=DN0067150::00:0b:86:f7:54:ca
 Responder Phase1 ID: CN=CG0015514::00:0b:86:df:81:60 L=SW
 Exchange Type: IKE_SA (IKEV2)
 Phase1 Transform:EncrAlg:AES256 HashAlg:HMAC_SHA1_96 DHGroup:20
 Authentication Method: RSA Digital Signature 2048-bits
 CFG Inner-IP 1.1.1.24
 IPSEC SA Rekey Number: 0
 Aruba AP

Here is the non working one:

(nuuskamuikkunen) #show crypto ipsec sa peer 81.20.229.136

% No active IPSEC SA for 81.20.229.136

(nuuskamuikkunen) #show crypto isakmp sa peer 81.20.229.136

 Initiator IP: 81.20.229.136
 Responder IP: 10.206.134.131
 Initiator: No
 Initiator cookie:0acba72279694d9e Responder cookie:1b6824b4e76e589d
 SA Creation Date: Mon Oct 16 00:04:39 2017
 Life secs: 28800
 Initiator Phase1 ID:
 Responder Phase1 ID:
 Exchange Type: IKE_SA (IKEV2)
 Phase1 Transform:
 IPSEC SA Rekey Number: 0


(nuuskamuikkunen) #

Got the same issue, where you able to solve it or talked to TAC? 

TAC was not useful with this case but I managed to get some anwers from aruba finland contact.

He said that if you move to use FIPS image, then you can use custom certification with ARC license and the RAP access point will connect to the controller with these settings:

With ECDSA/SuiteB 256 primev1, below is the IKE and IPSEC proposal
 
IKE:
Enc – AES128
Hash – SHA256-128
Auth – ECDSA-256
PRF - hmac-sha2-256
DH – Group 19
 
IPSEC:
ESP-AES128-GCM
PFS – DH 19
 
With ECDSA/SuiteB 384 primev1, below is the IKE and IPSEC proposal
 
IKE:
Enc – AES256
Hash – SHA384-192
Auth – ECDSA-384
PRF - hmac-sha2-384
DH – Group 20
 
IPSEC:
ESP-AES256-GCM
PFS – DH 20

Anyhow you need to get that custom certification to the RAP accesspoint via USB port or via console.

However, my project changed a little bit, so I did not try this setup. If you will try those FIPS images and this setup, let us know how it goes :)

-Fantti