SD-WAN

 View Only
last person joined: 5 days ago 

Forum to discuss HPE Aruba EdgeConnect SD-WAN and SD-Branch solutions. This includes SD-WAN Orchestration WAN edge network functions - routing, security, zone-based firewall, segmentation and WAN optimization, micro-branch solutions, best practics, and third-party integrations. All things SD-WAN!
Back to discussions
Expand all | Collapse all

SD-Branch gateway (WLC) manual IPSec-map and peer FQDN

This thread has been viewed 16 times

  • 1.  SD-Branch gateway (WLC) manual IPSec-map and peer FQDN

    Posted Sep 20, 2023 07:55 AM

    Hello!

    I'm trying to configure manual IPSec map using destination fqdn, instead of IP address, on WLC running ArubaOS 8.6.0.19. The configuration seems to be ok; if I change the destination fqdn to IP address the IPSec tunnel is established. But... in case of fqdn it fails and datapath doesn't reveal any packets towards the destination. 

    Example message from security log:
    Peer ip is not configured or resolved for map <map-name>

    I checked the DNS functionality and WLC is able to resolve the destination fqdn ("ping fqdn" works). 

    Any ideas what I'm doing wrong? 

    Below some configuration snippet: 

    crypto isakmp policy 9999
        encryption aes128
        authentication pre-share
        lifetime 86400
    ...
    crypto-local isakmp key "******" fqdn <peer-fqdn-removed>
    ...
    crypto ipsec transform-set test-transform-set esp-null esp-md5-hmac
    ...
    crypto-local ipsec-map <map-name> 100
        set ikev1-policy 9999
        peer-fqdn fqdn-id <peer-fqdn-removed>
        local-fqdn <my-fqdn-removed>
        vlan <vlan-id>
        src-net any                                    
        dst-net any
        set transform-set "test-transform-set" 
        set security-association lifetime seconds 86400
        pre-connect
        trusted
        force-natt



    ------------------------------
    gone fishing.
    ------------------------------