IPsec VPN Security between Aruba Remote Access Points and Mobility Controllers



Similar documents
APNIC elearning: IPSec Basics. Contact: esec03_v1.0

Release Notes. NCP Secure Entry Mac Client. 1. New Features and Enhancements. 2. Improvements / Problems Resolved. 3. Known Issues

VPN. VPN For BIPAC 741/743GE

ISG50 Application Note Version 1.0 June, 2011

Use Shrew Soft VPN Client to connect with IPSec VPN Server on RV130 and RV130W

Application Note: Onsight Device VPN Configuration V1.1

How to configure VPN function on TP-LINK Routers

How to configure VPN function on TP-LINK Routers

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Configuring a GB-OS Site-to-Site VPN to a Non-GTA Firewall

Fireware How To VPN. Introduction. Is there anything I need to know before I start? Configuring a BOVPN Gateway

Configuring an IPSec Tunnel between a Firebox & a Check Point FireWall-1

Release Notes. NCP Secure Entry Mac Client. Major Release 2.01 Build 47 May New Features and Enhancements. Tip of the Day

Release Notes. NCP Secure Client Juniper Edition. 1. New Features and Enhancements. 2. Problems Resolved

Configure an IPSec Tunnel between a Firebox Vclass & a Check Point FireWall-1

Configure IPSec VPN Tunnels With the Wizard

Understanding the Cisco VPN Client

Configuring TheGreenBow VPN Client with a TP-LINK VPN Router

Introduction to Security and PIX Firewall

Lab 4.4.8a Configure a Cisco GRE over IPSec Tunnel using SDM

Branch Office VPN Tunnels and Mobile VPN

axsguard Gatekeeper IPsec XAUTH How To v1.6

Building scalable IPSec infrastructure with MikroTik. IPSec, L2TP/IPSec, OSPF

VPN Wizard Default Settings and General Information

IP Office Technical Tip

Secure Remote Monitoring of the Critical System Infrastructure. An Application Note from the Experts in Business-Critical Continuity

Configuring GTA Firewalls for Remote Access

Chapter 4 Virtual Private Networking

How To Industrial Networking

How To Establish IPSec VPN connection between Cyberoam and Mikrotik router

IP Security. Ola Flygt Växjö University, Sweden

Virtual Private Network and Remote Access Setup

Configuring a Check Point FireWall-1 to SOHO IPSec Tunnel

The BANDIT Products in Virtual Private Networks

VNS3 to Cisco ASA Instructions. ASDM 9.2 IPsec Configuration Guide

Create a VPN on your ipad, iphone or ipod Touch and SonicWALL NSA UTM firewall - Part 1: SonicWALL NSA Appliance

Chapter 5 Virtual Private Networking Using IPsec

Viewing VPN Status, page 335. Configuring a Site-to-Site VPN, page 340. Configuring IPsec Remote Access, page 355

Other VPNs TLS/SSL, PPTP, L2TP. Advanced Computer Networks SS2005 Jürgen Häuselhofer

IP Office Technical Tip

Chapter 8 Virtual Private Networking

Cisco Which VPN Solution is Right for You?

Virtual Private Network VPN IPSec Testing: Functionality Interoperability and Performance

Configuring a FortiGate unit as an L2TP/IPsec server

Configuring IPSec VPN Tunnel between NetScreen Remote Client and RN300

UTM - VPN: Configuring a Site to Site VPN Policy using Main Mode (Static IP address on both sites) i...

Computer Networks. Secure Systems

ASA and Native L2TP IPSec Android Client Configuration Example

FortiOS Handbook - IPsec VPN VERSION 5.2.2

Lab Configure a PIX Firewall VPN

Technical Document. Creating a VPN. GTA Firewall to WatchGuard Firebox SOHO 6 TD: GB-WGSOHO6

GB-OS. VPN Gateway. Option Guide for GB-OS 4.0. & GTA Mobile VPN Client Version 4.01 VPNOG

Netopia TheGreenBow IPSec VPN Client. Configuration Guide.

Configuring a Site-to-Site VPN Tunnel Between Cisco RV320 Gigabit Dual WAN VPN Router and Cisco (1900/2900/3900) Series Integrated Services Router

IP Security. IPSec, PPTP, OpenVPN. Pawel Cieplinski, AkademiaWIFI.pl. MUM Wroclaw

VPN Configuration Guide. ZyWALL USG Series / ZyWALL 1050

Using IKEv2 on Juniper Networks Junos Pulse Secure Access Appliance

Vodafone MachineLink 3G. IPSec VPN Configuration Guide

VPNs. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright Palo Alto Networks

IPSec XAUTH How To. Version 8.0.0

Security Protocols HTTPS/ DNSSEC TLS. Internet (IPSEC) Network (802.1x) Application (HTTP,DNS) Transport (TCP/UDP) Transport (TCP/UDP) Internet (IP)

VPN SECURITY. February The Government of the Hong Kong Special Administrative Region

CCNA Security 1.1 Instructional Resource

Configuration Guide. How to establish IPsec VPN Tunnel between D-Link DSR Router and iphone ios. Overview

Configuring a VPN between a Sidewinder G2 and a NetScreen

FortiOS Handbook IPsec VPN for FortiOS 5.0

DFL-210/260, DFL-800/860, DFL-1600/2500 How to setup IPSec VPN connection

Configuring a Lan-to-Lan VPN with Overlapping Subnets with Juniper NetScreen/ISG/SSG Products

VPN Consortium Scenario 1: Gateway-to-Gateway with Preshared Secrets

Deploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels

IPSec Pass through via Gateway to Gateway VPN Connection

Cyberoam Configuration Guide for VPNC Interoperability Testing using DES Encryption Algorithm

Overview. Protocols. VPN and Firewalls

Virtual Private Networks

OvisLink 8000VPN VPN Guide WL/IP-8000VPN. Version 0.6

Príprava štúdia matematiky a informatiky na FMFI UK v anglickom jazyku

Bit Chat: A Peer-to-Peer Instant Messenger

Dr. Arjan Durresi. Baton Rouge, LA These slides are available at:

Objectives. Remote Connection Options. Teleworking. Connecting Teleworkers to the Corporate WAN. Providing Teleworker Services

Cloud Security Best Practices

FortiOS Handbook - IPsec VPN VERSION 5.2.4

How To Configure Apple ipad for Cyberoam L2TP

Configuring an IPSec Tunnel between a Firebox & a Cisco PIX 520

VPN s and Mobile Apps for Security Camera Systems: EyeSpyF-Xpert

VPN R Administration Guide. 15 October Classification: [Protected]

VPN Consortium Scenario 1: Gateway-to-Gateway with Preshared Secrets

Internet Protocol Security IPSec

VPN SECURITY POLICIES

How To Configure L2TP VPN Connection for MAC OS X client

GNAT Box VPN and VPN Client

Data Sheet. NCP Secure Enterprise Client Windows. Next Generation Network Access Technology

ZyWALL 5. Internet Security Appliance. Quick Start Guide Version 3.62 (XD.0) May 2004

VPN. Date: 4/15/2004 By: Heena Patel

Lecture 17 - Network Security

Brocade 5600 vrouter IPsec Site-to-Site VPN

Security in IPv6. Basic Security Requirements and Techniques. Confidentiality. Integrity

How To Set Up A Vpn Tunnel Between Winxp And Zwall On A Pc 2 And Winxp On A Windows Xp 2 On A Microsoft Gbk2 (Windows) On A Macbook 2 (Windows 2) On An Ip

Virtual Private Network (VPN)

Network Security. Lecture 3

Connecting Remote Offices by Setting Up VPN Tunnels

Transcription:

IPsec VPN Security between Aruba Remote Access Points and Mobility Controllers Application Note Revision 1.0 10 February 2011 Copyright 2011. Aruba Networks, Inc. All rights reserved.

IPsec VPN Security between Aruba Remote Access Points and Mobility Controllers Table of Contents Introduction... 3 IPsec VPN setup and L2TP/PPP operation between the Aruba RAP and Mobility Controller... 4 2011 by Aruba Networks Inc. All rights reserved. Page 2 of 7

Introduction ArubaOS supports the Layer 2 Tunneling Protocol (L2TP) with IPsec VPN client termination to create a VPN tunnel from an Aruba Remote Access Point (RAP) to an Aruba Mobility Controller at the data center or headquarters. L2TP is a UDP protocol (Port 1701) that is used to tunnel a Layer 2 protocol like PPP across a Layer 3 network like the Internet. The RAP first sets up an IPsec tunnel (secure channel) and then sets up an L2TP tunnel within IPsec. It then starts a PPP connection within L2TP/IPsec, which is authenticated. The Mobility Controller assigns an inner-ip that the RAP uses for all traffic originating from it. The inner-ip packet is tunneled within PPP/L2TP and secured via the IPsec tunnel. Figure 1 : Original IP packet is tunneled through an L2TP tunnel and encapsulated using IPsec encryption. The Aruba Mobility Controller must have VPN server functionality configured to terminate the secure RAPs. The configuration consists of the authentication protocols, an address pool for RAPs, DNS information, shared secret for RAPs, and a policy governing the shared secret, including priority, encryption, hash algorithm, authentication, group and lifetime. This document describes the steps involved in creating the secure IPsec channel between the RAP and the Mobility Controller, and highlights some of the key algorithms that are used in the IPsec tunnel negotiation and setup. 2011 by Aruba Networks Inc. All rights reserved. Page 3 of 7

IPsec VPN setup and L2TP/PPP operation between the Aruba RAP and Mobility Controller Figure 2 : IPsec secure tunnel and L2TP tunnel setup between the Aruba RAP and Mobility Controller. Prior to sending any data from the remote sites to the data center or headquarters, the RAP (client) first sets up an IPsec tunnel and then sets up a L2TP tunnel within IPsec. The process of setting up an L2TP/IPsec VPN between the Aruba RAP and Mobility Controller is as follows: 1. Internet key Exchange (IKE) protocol v1: The negotiation of IPsec security association (SA) is done using IKE v1. IKE authentication can be configured to use either pre-shared keys (PSK) or digital certificates to provide authentication (RSA Signature Algorithm). IKE provides NAT-T capabilities for RAPs that may be behind a NAT device. If there is a NAT device in the path between the two VPN endpoints, the IKE protocol will automatically detect the presence of 2011 by Aruba Networks Inc. All rights reserved. Page 4 of 7

the NAT device by comparing a set of hashes, which are based on the IP address and UDP port of the IKE packet. If there is a hash mismatch, IKE detects the presence of the NAT device. In most implementations, IKE uses UDP Port 500 and UDP 4500. IKE sta rts the initial negotiation with Port 500 and then floats the port to 4500 if NAT is detected. However, only Port 4500 has to be enabled to allow RAP to establish its tunnel to the Mobility Controller. The general recommendation is to enable both ports on the Internet-facing firewall to allow for wider compatibility with other operating systems. IKE can be configured to use Diffie- Helman (DH) groups 1 or 2 for the key exchange or for Perfect Forward Secrecy (PFS) in Phase 2. 160-bit SHA1 can be configured for Phase 1 and 2. IKE also provides the Dead Peer Detection (DPD) functionality, which is the keep-alive mechanism that detects if the peer is down. The controller will not send out DPDs in the remote access scenario and will only respond with DPD ACKs to ensure that the RAP will keep the IKE/IPsec tunnels up. On the Aruba Mobility Controller, which is the VPN termination point, the Policy Enforcement Firewall (PEF) and AP licenses 1 are required for VPN termination of the RAP. A RAP is identified by a specific vendor-id during IKE main-mode SA establishment. This is used to check the number of APs that are connected to the controller. For more information regarding required licenses and the licensing limits, please refer to the user guide. The second step is the creation of the IPsec Security Associations (IPsec SAs). This is Phase 2 of the VPN tunnel establishment and is the creation of the Encapsulating Security Payload (ESP) communication. The IP protocol number for ESP is 50. At this point, a secure channel or VPN tunnel has been established between the RAP and the Mobility Controller. The IPsec tunnel between the RAP and the Mobility Controller uses transport mode with L2TP. IPsec Maximum Transmission Unit (MTU) can be configured the default is set to 1550. IPsec Encryption The following cryptographic algorithms are available foe encryption in ArubaOS: 3DES and AES 128- bit or 256-bit. ESP-NULL is a no-encryption option and is also available. However, this is not a recommended option since it does not provide any data confidentiality. 1 The AP license will apply to all APs connected to the controller regardless of whether they are campus APs, remote APs and mesh APs. 2011 by Aruba Networks Inc. All rights reserved. Page 5 of 7

When the double encryption feature is enabled, data traffic from a wireless client connected to a tunneled SSID is encrypted at Layer 2. This encrypted data is then re-encrypted in the IPsec tunnel that is setup from the RAP to the Mobility Controller. Disabling the double encryption will cause the wireless frames to be encrypted only using IPsec from the RAP to the Mobility Controller. However, the 802.11 traffic from the client to the RAP will be sent in the clear. The recommendation is to always use WPA/WPA-2, TKIP or AES encryption for the 802.11 traffic, even though the traffic Is being re-encrypted with IPsec from the RAP to the Mobility Controller. 2. Once the IPsec tunnel (Phase 2) has been created, the negotiation and establishment of the L2TP tunnel happens between the SA endpoints. The actual negotiation of parameters takes place over the SA's secure channel and within the IPsec encryption. The L2TP packets between the endpoints are ESP encapsulated by IPsec, which ensures the security of the internal private network. A key point to note is that the L2TP port, UDP 1701, does not have to be open on the firewall since the L2TP packets are encrypted and will not be processed until after decryption, which happens on the endpoints (RAP and Mobility Controller). With IKE and L2TP/PPP, two-level authentication is supported device authentication and user authentication. Password authentication protocol (PAP) is the method of authentication supported for the RAP client. L2TP hellos detect if the peer is gone, bring down the L2TP tunnel and then signal IKE to bring down the IKE/IPsec tunnel. This can be configured on the Mobility Controller. In the tunnel mode of operation, the 802.11 data packets, action frames and EAPOL frames are sent to the Mobility Controller. They are not processed on the Remote AP. The 802.11 data packets and frames are encapsulated in GRE and sent over the IPsec tunnel to the Mobility Controller. 2011 by Aruba Networks Inc. All rights reserved. Page 6 of 7

2011 Aruba Networks, Inc. AirWave, Aruba Networks, Aruba Mobility Management System, Bluescanner, For Wireless That Works, Mobile Edge Architecture, People Move. Networks Must Follow, RFprotect, The All Wireless Workplace Is Now Open For Business, Green Island, and The Mobile Edge Company are trademarks of Aruba Networks, Inc. All rights reserved. Aruba Networks reserves the right to change, modify, transfer, or otherwise revise this publication and the product specifications without notice. While Aruba uses commercially reasonable efforts to ensure the accuracy of the specifications contained in this document, Aruba will assume no responsibility for any errors or omissions. Note: All scaling metrics outlined in this document are maximum supported values. The scale may vary depending upon the deployment scenario and features enabled. 2011 by Aruba Networks Inc. All rights reserved. Page 7 of 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information