Wireless Access

last person joined: 16 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

master-local IPSec

This thread has been viewed 0 times

  • 1.  master-local IPSec

    Posted Dec 06, 2013 05:04 AM

    Hi,

    have just setup a connection between a master and a local controller (3200's) in different subnets. The devices would not connect - not even ping when I defined the locals IP address and key on the master using the exact IP address. When I used 0.0.0.0 as the IP address this worked. Why did it not work with the specific IP address?

     

    Matt


    #3200


  • 2.  RE: master-local IPSec

    Posted Dec 06, 2013 05:36 AM
    Can you do show switches to see what IP address is using to do the tunnel ?

    And confirm is the same you were trying to point to in the ipsec tunnel command ?


  • 3.  RE: master-local IPSec

    Posted Dec 06, 2013 05:55 AM

    I have done a show switches and this was the IP address I was using for defining the local on the master. As soon as I configured with the specific IP address, pings between the two devices failed.



  • 4.  RE: master-local IPSec

    Posted Dec 06, 2013 06:15 AM

     

    Can you do a show ip route ?

     

    Also do a "encrypt disable" and make sure that the key match between the two :

     

    show  running-config  | include ipsec

     



  • 5.  RE: master-local IPSec

    Posted Dec 06, 2013 06:22 AM

    Yes, I checked this a few times and even defaulted the local and started again, connectivity only when I used the 0.0.0.0 address.



  • 6.  RE: master-local IPSec

    Posted Dec 06, 2013 06:28 AM

     

    I seen this before when you try to ping the IP address identified in the ipsec command and for some reason it goes through the ipsec tunnel instead of the default gateway and that why I think it fails .

     

    But not 100% sure on that.

     

    That's why I asked you to see if you can look at your ip route

     

     



  • 7.  RE: master-local IPSec

    Posted Dec 06, 2013 06:56 AM

    I imagine this is the case because pings work to other devices in the subnets at either end but not the host IP addresses of each of the controllers.



  • 8.  RE: master-local IPSec

    EMPLOYEE
    Posted Dec 06, 2013 08:32 AM

    Are you using the vlan interface ip for the localip on the master?

     

    If there is any ipsec relationship between the two, then it will use that tunnel for pings and any other communication.  If the ipsec is down, you won't be able to ping it from the master, though you will be able to from another device.



  • 9.  RE: master-local IPSec

    Posted Dec 06, 2013 08:39 AM

    Yes, so I suppose another way of looking at the question is, why doees the tunnel not form when using the host address, only when using the 0.0.0.0 address.



  • 10.  RE: master-local IPSec

    Posted Dec 06, 2013 09:44 AM

    The tunnel should form when using either the host address or 0.0.0.0.  Assuming the host address you put in can be reached and is not NAT'd somewhere along the line.  

     

    Run the following from the master when it is succesfully connected using the 0.0.0.0 parameter to see if you can confirm the IP it is coming from.

     

    show crypto isakmp sa

    or

    show datapath session table | include 4500