AOS 8 VPNC configuration issues

VPN
1

Hi all, I’m trying to lab out a solution and am stuck…

All devices running AOS 8.9.0.0.

I have a 7010 controller happily talking to an MM at the “Datacenter” side of things. This controller has a public IP.

I have a 7010 controller at a remote site, with a public IP.

Hub & Spoke is enabled on the datacenter controller, with it configured as a Hub. Connection mode is “Manual”, and a have the MAC address of the remote controller entered, using the Factory Cert.

On the remote controller, during initial CLI setup, I configured as follows:

Enter IP type to terminate IPSec tunnel or secured websocket connection (ipv4|ipv6) [ipv4]:

Enter Conductor switch IP address/FQDN or ACP IP address/FQDN: 172.17.100.209

Enter Conductor switch Type? (MM|ACP) [MM]:

Is this a VPN concentrator for managed device to reach Conductor switch (yes|no) [no]:

This device connects to Conductor switch via VPN concentrator (yes|no) [no]: yes

Enter VPN concentrator IP address or FQDN:

VPN concentrator Authentication method (FactoryCert|PSKwithMAC) [FactoryCert]:

Enter VPN concentrator MAC address:

At this point, the tunnel IS established between the controllers; I can ping each controller from the other, SSH to each controller from the other, etc.

However, I am seeing odd behavior on the MM. I see this entry occurring in the MM event log:

Oct 20 10:17:58 2021 fpapps[5613]: <399838> <5616> |fpapps| switchIpStaticIpsecAddrCfg: Duplicate add of existing ipsec route 10.1.101.1/255.255.255.255 -> default-local-conductor-ipsecmap-20:4c:03:56:9d:62 cost 20

So the route is not being installed to allow the MM to talk all the way through to the remote controller.

The weird thing is if I manually add a static route (ip route 10.1.101.1 255.255.255.255 172.17.4.44), that route never populates in the routing table. For that matter, ANY static route I add to the MM never populates in the routing table.

Any thoughts here? Thank you!

2

I suggest to go to the ASE site and see what it says to do:

https://ase.arubanetworks.com/solutions/id/171

If that recipe is not what you want, just search for VPNC in the top right. There are a few others.

3

You are using 8.9.0.0 (the 0.0) release is typically not considered production ready (in my opinion) have you tried a more stable software ?

What is the controller-ip on the 7010. The mm (MC) will install a /32 route via the ipsec_map.

When you try to install a static route, can you ping the next-hop ip adress ?

4

You need to tell the remote controller to advertise networks in the cfg-set. Then the VPNC will pump it up to the MM.

5

I ended up getting it (mostly) working

Issue was not due to 8.9.0.0. I downgraded everything to 8.6.0.14 and the issue remained.

So here’s what I was seeing:

In the MM route table, there SHOULD be a route automatically added for 10.1.101.1, but it is not in the routing table:

S* 0.0.0.0/0 [0/1] via 172.17.100.1*

C 172.17.100.0/24 is directly connected, VLAN1

C 172.17.4.44/32 is an ipsec map default-local-conductor-ipsecmap

HOWEVER, a static route was automatically added to the config:

ip route 10.1.101.1 255.255.255.255 ipsec default-local-conductor-ipsecmap-20:4c:03:56:9d:62 20

HOWEVER, this route was not being installed into the routing table… In the controller log I saw:

Oct 20 19:32:53 2021 fpapps[8910]: <399838> <8913> |fpapps| arubaUsmDbIPStaticIpSecAddrCfg:644: pending static route cfg 10.1.101.1/255.255.255.255.Route will be added when the Ipsec Map (default-local-conductor-ipsecmap-20:4c:03:56:9d:62) is created

Oct 20 19:32:53 2021 fpapps[8910]: <399838> <8913> |fpapps| switchIpStaticIpsecAddrCfg: Route (10.1.101.1/255.255.255.255, cost 20) will be added when the Ipsec Map (default-local-conductor-ipsecmap-20:4c:03:56:9d:62) is created and tunnel is UP

Oct 20 19:33:23 2021 fpapps[8910]: <399838> <8913> |fpapps| switchIpStaticIpsecAddrCfg: Duplicate add of existing ipsec route 10.1.101.1/255.255.255.255 → default-local-conductor-ipsecmap-20:4c:03:56:9d:62 cost 20

I was not able to find a reason why this route would be installed. So I added route that looks like this:

ip route 10.1.101.1 255.255.255.255 ipsec default-local-conductor-ipsecmap

(You’ll notice it looks very much like the route that was added to the config automatically, but lacks the MAC address appended to the end).

This works!

S* 0.0.0.0/0 [0/1] via 172.17.100.1*

S 10.1.101.1/32 [0/1] ipsec map default-local-conductor-ipsecmap

C 172.17.100.0/24 is directly connected, VLAN1

C 172.17.4.44/32 is an ipsec map default-local-conductor-ipsecmap

I still have not determined WHY that automatic route for 10.1.101.1 was not added automatically (I’d like that to work as we continue to roll out more remote controllers). But for a basic PoC, this will do the job.