Reading Time: 10 minutes

In this post, I describe how I use an Aruba Instant AP for tunnel all my traffic to my controller at home. This IAP VPN is very helpful when I need to show some lab scenarios. But you can also use it as your secure connection from a small branch office to the headquarter. Sure, you could use a RAP (Remote AP) and I used this setup in the past very successful, but the IAP solution scales much better.

You can have just a limited number of RAP’s in one location. But you can have up to 128 IAP’s per location. Whenever you need more than 4 RAP’s, consider the IAP VPN solution as well.

In the setup below, I use central for management. But you can also use AirWave or no management and configure the IAP’s manually, as well, to get the same results.

IAP VPN – Basic Setup

Normally, you send the wireless user in an IAP solution in a VLAN. But sometimes you need a central breakout for the users. This is possible with the IAP VPN solution. All you need is a controller, or for redundancy two controllers, at the central breakout point. The IAP create an IPSec tunnel to this controller. You can use this tunnel to send user traffic to the controller. The controller can now handle the traffic and send it to a VLAN at the central site.

The setup is very simple and easy. I start with the controller part. and afterward with the IAP part in central.

I run ArubaOS 8 on the controller:

show version Aruba Operating System Software. ArubaOS (MODEL: Aruba7005), Version 8.2.1.0 Website: http://www.arubanetworks.com (c) Copyright 2018 Hewlett Packard Enterprise Development LP. Compiled on 2018-03-16 at 17:27:35 UTC (build 64044) by p4build ROM: System Bootstrap, Version CPBoot 1.0.2.0 (build 46859) Built: 2014-10-31 10:10:57 Built by: [email protected]_client_46859 Switch uptime is 4 days 4 hours 21 minutes 8 seconds Reboot Cause: POE Power Cycle (Intent:cause:register ee:ee:0:c) Supervisor Card Processor (XLP208 Rev B0 (Secure Boot) , 500 MHz) with 3797M bytes of memory. 32K bytes of non-volatile configuration memory. 1920M bytes of Supervisor Card system flash.

The first step is to allow the IAP on the controller. This is the same as with all other AP’s. You need to whitelist the IAP. I use whitelist auth with ClearPass. Here you can check, how to use ClearPass for whitelist sync:

ArubaOS Controller Whitelist Sync with ClearPass

You have to use the remote AP whitelist for the IAP’s. And If you use ClearPass or any other radius server you can also psecify the role for the IAP. Below is the summary screen of my enforcement profile for any IAP authentication:

IAP VPN – Enforcement Profile in ClearPass

I use the default group, for the group assignment. You can use a different one, but keep in mind, the group doesn’t madders in this setup, as the controller did not apply any configuration for the IAP. Important is the “Aruba-Location-Id” to assign the correct IAP name on the controller. This makes troubleshooting much easier, later on. The role is not needed, as the controller has a default role for the IAP’s. If you would like to change it, you can send the role attribute as well.

The last step on the controller is to create an IP pool, for the inner tunnel IP’s. Either use the CLI and use this command:

ip local pool "mobile-iap" 10.193.168.2 10.193.168.254

Or you can do the same in the GUI. Go to “Configuration–>Services–>VPN” and go down to “General VPN”. To create a new “Address Pool”, click the “+” sign:

IAP VPN – Create IP Address Pool

From this “Address Pool”, the IAP gets an inner tunnel IP address. You can either create a NAT rule for this address range or, which is my recommendation, use OSPF to distribute the routes in your environment. If you need help with OSPF on the Aruba controller, leave me a comment and I will help you, or write a post about it.

That is the controller part.

IAP VPN – IAP Part

I will show the setup with Aruba Central, but the configuration is the same for AirWave or the Instant GUI.

To start the configuration go to “Wireless Management–>VPN”:

IAP VPN – Configure Aruba IPSec in Central

Replace the “Primary Host” and the “Backup Host” with your hostnames or IP addresses and make sure, you select “Aruba IPsec as the “Protocol”.

This creates a tunnel from the virtual controller of the IAP cluster to the Aruba controller. You can also select “Aruba GRE” for the “Protocol”. With “Aruba GRE”, you can build tunnels from every IAP in the cluster to the controller. This is very handy when you cannot use VLAN Tags between the IAP’s. The configuration would look like this:

IAP-VPN – Configure Aruba GRE in Central

This creates a VPN tunnel from every IAP to the controller. This makes sense when you are not able to work with VLAN tags between the IAP cluster notes.

You can also configure “L2TPv3” and “Manual GRE”. But I have never used them in the past.

To allow the IAP, to reach internal resources as well, you can configure “Routing”. This is just below the configuration from above:

IAP VPN – Configure Routing Profile in Central

You can configure hosts or subnets to be available behind the tunnel. The important part is, that you need to configure the controller IP (the one, the IAP is connected to) as the gateway.

IAP VPN – Show Commands

You can check if the VPN is up and running from the CLI. First, let’s check the controller part. There is an ISAKMP entry for the IAP:

(wlan-controller) #show crypto isakmp sa ISAKMP SA Active Session Information ------------------------------------ Initiator IP Responder IP Flags Start Time Private IP ------------ ------------ ----- --------------- ---------- 10.100.100.50 10.100.100.70 i-v2-p Jul 3 02:19:33 - 10.106.106.10 10.100.100.50 r-v2-c-C Jul 3 04:37:59 10.106.106.10 10.106.106.11 10.100.100.50 r-v2-c-C Jul 3 04:53:29 10.106.106.11 137.226.133.33 10.100.100.50 r-v2-c-I Jul 3 09:58:35 10.99.99.10 Flags: i = Initiator; r = Responder m = Main Mode; a = Agressive Mode; v2 = IKEv2 p = Pre-shared key; c = Certificate/RSA Signature; e = ECDSA Signature x = XAuth Enabled; y = Mode-Config Enabled; E = EAP Enabled 3 = 3rd party AP; C = Campus AP; R = RAP; Ru = Custom Certificate RAP; I = IAP V = VIA; S = VIA over TCP Total ISAKMP SAs: 4

The last entry is the IAP. It is the VC. I use the Aruba IPSec option for the VPN. There is also an IPSec SA entry:

(wlan-controller) #show crypto ipsec sa IPSEC SA (V2) Active Session Information ----------------------------------- Initiator IP Responder IP SPI(IN/OUT) Flags Start Time Inner IP ------------ ------------ ---------------- ----- --------------- -------- 137.226.133.33 10.100.100.50 ae840700/47eaac00 UT2 Jul 3 09:58:34 10.99.99.10 10.100.100.50 10.100.100.70 9ed8e900/f4c43400 UT2 Jul 3 09:53:35 - 10.106.106.11 10.100.100.50 81b8a900/fa64ed00 UT2 Jul 3 08:34:58 10.106.106.11 10.106.106.10 10.100.100.50 756f1b00/20537e00 UT2 Jul 3 09:50:45 10.106.106.10 Flags: T = Tunnel Mode; E = Transport Mode; U = UDP Encap L = L2TP Tunnel; N = Nortel Client; C = Client; 2 = IKEv2 Total IPSEC SAs: 4

This time, it is the first entry. If both entries are present, you have the IAP in the IAP table as well:

(wlan-controller) #show iap table long Trusted Branch Validation: Enabled IAP Branch Table ---------------- Name VC MAC Address Status Inner IP Assigned Subnet Assigned Vlan Key Bid(Subnet Name) Tunnel End Points ---- -------------- ------ -------- --------------- ------------- --- ---------------- ----------------- ELAB-VC-001 b4:5d:50:c1:ef:fc UP 10.99.99.10 d80c02fb01ab73336419c72095819606e430511260f2fecfa4 Total No of UP Branches : 1 Total No of DOWN Branches : 0 Total No of Branches : 1

Now, from the IAP:

ELAB-AP-003# show vpn status profile name:default -------------------------------------------------- current using tunnel :primary tunnel current tunnel using time :8 minutes 57 seconds ipsec is preempt status :disable ipsec is fast failover status :disable ipsec hold on period :600s ipsec tunnel monitor frequency (seconds/packet) :5 ipsec tunnel monitor timeout by lost packet cnt :6 ipsec primary tunnel crypto type :Cert ipsec primary tunnel peer address :controller-fqdn.tld ipsec primary tunnel peer tunnel ip :10.100.100.50 ipsec primary tunnel ap tunnel ip :10.99.99.10 ipsec primary tunnel using interface :tun0 ipsec primary tunnel using MTU :1230 ipsec primary tunnel current sm status :Up ipsec primary tunnel tunnel status :Up ipsec primary tunnel tunnel retry times :1 ipsec primary tunnel tunnel uptime :8 minutes 57 seconds ipsec backup tunnel crypto type :Cert ipsec backup tunnel peer address :N/A ipsec backup tunnel peer tunnel ip :N/A ipsec backup tunnel ap tunnel ip :N/A ipsec backup tunnel using interface :N/A ipsec backup tunnel using MTU :N/A ipsec backup tunnel current sm status :Init ipsec backup tunnel tunnel status :Down ipsec backup tunnel tunnel retry times :0 ipsec backup tunnel tunnel uptime :0

From the output above, you can see, that the primary tunnel is up.

ELAB-AP-003# show vpn tunnels Tunnel Flags: M = Master IAP; S = Slave IAP; P = Primary Tunnel B = Backup Tunnel; R = Registered; H = Heartbeat Enable Tunnel Info for peer address 10.100.100.50 -------------------------------------------- Type Value ---- ----- Source IP 10.99.99.10 Destination IP 10.100.100.50 End IP 84.153.110.129 Default GW 192.168.0.254 Use count 1 Ifindex 17 Ifname tun0 Flags MPRH Retry count for Register Request 0 Last Heartbeat 15998 Heartbeat Encap/Decap 108(seq 108)/109(seq 108) GRE Encap/Decap 1582/1581 For DHCP Profile ELAB-Management Retry count for Vlan Add Request 0 Old Subnet Status Normal Existing Subnet Status Normal

On a slave IAP it looks like this:

ELAB-AP-001# show vpn status profile name:default -------------------------------------------------- current using tunnel :unselected tunnel current tunnel using time :0 ipsec is preempt status :disable ipsec is fast failover status :disable ipsec hold on period :600s ipsec tunnel monitor frequency (seconds/packet) :5 ipsec tunnel monitor timeout by lost packet cnt :6 ipsec primary tunnel crypto type :Cert ipsec primary tunnel peer address :N/A ipsec primary tunnel peer tunnel ip :N/A ipsec primary tunnel ap tunnel ip :N/A ipsec primary tunnel using interface :N/A ipsec primary tunnel using MTU :N/A ipsec primary tunnel current sm status :Init ipsec primary tunnel tunnel status :Down ipsec primary tunnel tunnel retry times :0 ipsec primary tunnel tunnel uptime :0 ipsec backup tunnel crypto type :Cert ipsec backup tunnel peer address :N/A ipsec backup tunnel peer tunnel ip :N/A ipsec backup tunnel ap tunnel ip :N/A ipsec backup tunnel using interface :N/A ipsec backup tunnel using MTU :N/A ipsec backup tunnel current sm status :Init ipsec backup tunnel tunnel status :Down ipsec backup tunnel tunnel retry times :0 ipsec backup tunnel tunnel uptime :0 ELAB-AP-001# show vpn tunnels Tunnel Flags: M = Master IAP; S = Slave IAP; P = Primary Tunnel B = Backup Tunnel; R = Registered; H = Heartbeat Enable Tunnel Info for peer address 10.100.100.50 -------------------------------------------- Type Value ---- ----- Source IP 10.99.99.10 Destination IP 10.100.100.50 End IP 84.153.110.129 Default GW 0.0.0.0 Use count 0 Ifindex 0 Ifname Null Flags SP Retry count for Register Request 0 GRE Encap/Decap 0/0 For DHCP Profile ELAB-Management Retry count for Vlan Add Request 0 Old Subnet Status Normal Existing Subnet Status Normal

Now, let’s change the VPN type to Aruba GRE. I also enable “Per -AP-Tunnel”.

The first two commands look the same. There is one IPSec tunnel from the VC to the controller. But the last output from the controller is different:

(wlan-controller) #show iap table long Trusted Branch Validation: Enabled IAP Branch Table ---------------- Name VC MAC Address Status Inner IP Assigned Subnet Assigned Vlan Key Bid(Subnet Name) Tunnel End Points ---- -------------- ------ -------- --------------- ------------- --- ---------------- ----------------- ELAB-VC-001 b4:5d:50:c1:ef:fc UP 10.99.99.10 d80c02fb01ab73336419c72095819606e430511260f2fecfa4 192.168.0.180,192.168.0.183,192.168.0.182,192.168.0.181 Total No of UP Branches : 1 Total No of DOWN Branches : 0 Total No of Branches : 1

As you see from the output above, the controller list all the IAP’s in the IAP cluster as well.

The IAP output is different as well. The VC has one IPSec tunnel active:

ELAB-AP-003# show vpn status profile name:default -------------------------------------------------- current using tunnel :primary tunnel current tunnel using time :17 minutes 39 seconds ipsec is preempt status :disable ipsec is fast failover status :disable ipsec hold on period :600s ipsec tunnel monitor frequency (seconds/packet) :5 ipsec tunnel monitor timeout by lost packet cnt :6 ipsec primary tunnel crypto type :Cert ipsec primary tunnel peer address :controller-fqdn.tld ipsec primary tunnel peer tunnel ip :10.100.100.50 ipsec primary tunnel ap tunnel ip :10.99.99.10 ipsec primary tunnel using interface :tun0 ipsec primary tunnel using MTU :1230 ipsec primary tunnel current sm status :Up ipsec primary tunnel tunnel status :Up ipsec primary tunnel tunnel retry times :1 ipsec primary tunnel tunnel uptime :17 minutes 39 seconds ipsec backup tunnel crypto type :Cert ipsec backup tunnel peer address :N/A ipsec backup tunnel peer tunnel ip :N/A ipsec backup tunnel ap tunnel ip :N/A ipsec backup tunnel using interface :N/A ipsec backup tunnel using MTU :N/A ipsec backup tunnel current sm status :Init ipsec backup tunnel tunnel status :Down ipsec backup tunnel tunnel retry times :0 ipsec backup tunnel tunnel uptime :0

And through the IPSec tunnel, the IAP has a GRE tunnel:

ELAB-AP-003# show vpn tunnels Tunnel Flags: M = Master IAP; S = Slave IAP; P = Primary Tunnel B = Backup Tunnel; R = Registered; H = Heartbeat Enable Tunnel Info for peer address 10.100.100.50 -------------------------------------------- Type Value ---- ----- Source IP 10.99.99.10 Destination IP 10.100.100.50 End IP 84.153.110.129 Default GW 192.168.0.254 Use count 1 Ifindex 17 Ifname tun0 Flags MPRH Retry count for Register Request 0 Last Heartbeat 15529 Heartbeat Encap/Decap 496(seq 496)/496(seq 496) GRE Encap/Decap 1114/1113 For DHCP Profile ELAB-Management Retry count for Vlan Add Request 0 Old Subnet Status Normal Existing Subnet Status Normal

From a slave IAP it looks like this:

ELAB-AP-001# show vpn status profile name:default -------------------------------------------------- current using tunnel :unselected tunnel current tunnel using time :0 ipsec is preempt status :disable ipsec is fast failover status :disable ipsec hold on period :600s ipsec tunnel monitor frequency (seconds/packet) :5 ipsec tunnel monitor timeout by lost packet cnt :6 ipsec primary tunnel crypto type :Cert ipsec primary tunnel peer address :N/A ipsec primary tunnel peer tunnel ip :N/A ipsec primary tunnel ap tunnel ip :N/A ipsec primary tunnel using interface :N/A ipsec primary tunnel using MTU :N/A ipsec primary tunnel current sm status :Init ipsec primary tunnel tunnel status :Down ipsec primary tunnel tunnel retry times :0 ipsec primary tunnel tunnel uptime :0 ipsec backup tunnel crypto type :Cert ipsec backup tunnel peer address :N/A ipsec backup tunnel peer tunnel ip :N/A ipsec backup tunnel ap tunnel ip :N/A ipsec backup tunnel using interface :N/A ipsec backup tunnel using MTU :N/A ipsec backup tunnel current sm status :Init ipsec backup tunnel tunnel status :Down ipsec backup tunnel tunnel retry times :0 ipsec backup tunnel tunnel uptime :0 ELAB-AP-001# show vpn tunnels Tunnel Flags: M = Master IAP; S = Slave IAP; P = Primary Tunnel B = Backup Tunnel; R = Registered; H = Heartbeat Enable Tunnel Info for peer address 10.100.100.50 -------------------------------------------- Type Value ---- ----- Source IP 10.99.99.10 Destination IP 10.100.100.50 End IP 84.153.110.129 Default GW 0.0.0.0 Use count 0 Ifindex 0 Ifname Null Flags SP Retry count for Register Request 0 GRE Encap/Decap 0/0 For DHCP Profile ELAB-Management Retry count for Vlan Add Request 0 Old Subnet Status Normal Existing Subnet Status Normal

There is no VPN active. But there is a GRE tunnel (the lower output). This GRE tunnel uses the IPSec tunnel from the VC as well. This allows the GRE tunnel to work even in an environment with NAT devices between the IAP and the controller. Isn’t this a great feature?

You have now the connection between the IAP and the central controller. All the different options, to use this connection will come in one of the next posts.

If you find this post interesting, leave me a comment and share it with your friends. If you don’t like the post, leave me a comment and share it with your enemy. But whatever you do, leave me a comment, now.

Share this: Facebook

LinkedIn

Reddit

Twitter

Email

More

Print

Tumblr



Pinterest

Pocket



Telegram

WhatsApp



Skype



Like this: Like Loading...