You are here: Home > CLI Commands > Just_CLI_Topics > masterip

masterip

masterip <ipaddr>

ipsec <key> [fqdn <local-fqdn>] interface <uplink |{vlan <id>}] peer-mac-1 <peermac1

ipsec-custom-cert master-mac-1-c <mac-1-c> ca-cert <ca> fqdn <fqdn> [interface uplink|{vlan <id>}] [master-mac-2-c <mac-2-c>] server-cert <cert> [suite‑b gcm-128|gcm-256]

ipsec-factory-cert master-mac-1 <mac>

vpn-ip <vpnip>

 

Description

This command configures the IP address and PSKPre-shared key. A unique shared secret that was previously shared between two parties by using a secure channel. This is used with WPA security, which requires the owner of a network to provide a passphrase to users for network access. or certificate for the Mobility Master on a managed device.

Syntax

 

Parameter

Description

<ipaddr>

IP address of the Mobility Master.

ipsec <key>

To establish the master-local IPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. tunnel using IKEv1Internet Key Exchange version 1. IKEv1 establishes a secure authenticated communication channel by using either the pre-shared key (shared secret), digital signatures, or public key encryption. IKEv1 operates in Main and Aggressive modes. See RFC 2409., enter a preshared key between 6-64 characters.

fqdn

Identify a dynamically addressed managed device by entering the FQDNFully Qualified Domain Name. FQDN is a complete domain name that identifies a computer or host on the Internet. of the controller.

interface

Specify the uplink or VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. interface on the Mobility Master to initiate IKEInternet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard..

peer-mac-1

Specify the peer MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. string.

NOTE: If the peer device is an x86 server, then configure the MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address of the management interface of the managed device. However, if the peer device is a hardware platform, you must provide the MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address of the VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. interface of the managed device.

ipsec-custom-cert

Use a custom-installed certificate on the Mobility Master to establish a master-local IPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. tunnel using IKEv2Internet Key Exchange version 2. IKEv2 uses the secure channel established in Phase 1 to negotiate Security Associations on behalf of services such as IPsec. IKEv2 uses pre-shared key and Digital Signature for authentication. See RFC 4306. .

master-mac-1 <mac-1-c>

The MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address of the Mobility Master.

master-mac-2 <mac-2-c>

(Optional) the MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address of the backup Mobility Master.

ca-cert <ca>

User-defined name of a trusted CACertificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. certificate installed on the Mobility Master. Use the show crypto-local pki TrustedCA command to display the CACertificate Authority or Certification Authority. Entity in a public key infrastructure system that issues certificates to clients. A certificate signing request received by the CA is converted into a certificate when the CA adds a signature generated with a private key. See digital certificate. certificates that have been imported into the controller.

server-cert <cert>

User-defined name of a server certificate installed on the Mobility Master. Use the show crypto-local pki ServerCert command to display the server certificates that have been imported into the controller.

interface

Specify the uplink or VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. interface on the Mobility Master to initiate IKEInternet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard..

   uplink

Use the Mobility Master’s current active uplink to initiate IKEInternet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard..

   vlan <id>

Specify a VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. interface on the Mobility Master to initiate IKEInternet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard.. If you do not specify a VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN., the controller IP will be used.

fqdn <fqdn>

Identify a dynamically addressed managed device by entering the FQDNFully Qualified Domain Name. FQDN is a complete domain name that identifies a computer or host on the Internet. of the controller.

suite‑b

If you configure your Mobility Master and managed devices to use IKEv2Internet Key Exchange version 2. IKEv2 uses the secure channel established in Phase 1 to negotiate Security Associations on behalf of services such as IPsec. IKEv2 uses pre-shared key and Digital Signature for authentication. See RFC 4306. and custom-installed certificates, you can optionally use Suite-B cryptographic algorithms for IPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. encryption. Specify one of the following options:

gcm-128 Use 128-bit AESAdvanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits.-GCM Suite-B encryption

gcm-256 Use 256-bit AESAdvanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits.-GCM Suite-B encryption

ipsec-factory-cert

Use the factory-installed certificate on the Mobility Master to establish a master-local IPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. tunnel using IKEv2Internet Key Exchange version 2. IKEv2 uses the secure channel established in Phase 1 to negotiate Security Associations on behalf of services such as IPsec. IKEv2 uses pre-shared key and Digital Signature for authentication. See RFC 4306. .

master-mac-1 <mac-1-c>

The MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address of the certificate on the Mobility Master.

master-mac-2 <mac-2-c>

(Optional) the MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address of the certificate on the backup Mobility Master.

interface

Specify the uplink or VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. interface on the Mobility Master to initiate IKEInternet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard..

   uplink

Use the Mobility Master’s current active uplink to initiate IKEInternet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard..

   vlan <id>

Specify a VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. interface on the Mobility Master to initiate IKEInternet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard.. If you do not specify a VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN., the controller IP will be used.

fqdn <fqdn>

Identify a dynamically addressed managed device by entering the FQDNFully Qualified Domain Name. FQDN is a complete domain name that identifies a computer or host on the Internet. of the controller.

vpn-ip

Specify the IP address of the VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. concentrator.

Usage Guidelines

Use this command on a managed device to configure the IP address and PSKPre-shared key. A unique shared secret that was previously shared between two parties by using a secure channel. This is used with WPA security, which requires the owner of a network to provide a passphrase to users for network access. or certificate for secure communication with the Mobility Master. On the Mobility Master, use the localip command to configure the IP address and preshared key or certificate for a managed device.

 

The parameters in this command can also be defined using the initial setup wizard when the managed device is first configured. Best practices is to define masterip settings using this wizard. If the IP address of the Mobility Master on a managed device is changed the managed device should be rebooted.

If your Mobility Master and managed devices use a pre-shared key for authentication, they will create the IPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. tunnel using IKEv1Internet Key Exchange version 1. IKEv1 establishes a secure authenticated communication channel by using either the pre-shared key (shared secret), digital signatures, or public key encryption. IKEv1 operates in Main and Aggressive modes. See RFC 2409.. If your Mobility Master and managed devices use certificates for authentication, the IPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. tunnel will be created using IKEv2Internet Key Exchange version 2. IKEv2 uses the secure channel established in Phase 1 to negotiate Security Associations on behalf of services such as IPsec. IKEv2 uses pre-shared key and Digital Signature for authentication. See RFC 4306. .

Example

The following command configures the Mobility Master with a PSKPre-shared key. A unique shared secret that was previously shared between two parties by using a secure channel. This is used with WPA security, which requires the owner of a network to provide a passphrase to users for network access. :

(host) [mynode] (config) #masterip 10.1.1.250 ipsec gw1234567

Command History

Release

Modification

ArubaOS 8.0.0.0

Command introduced.

Command Information

Platform

License

Command Mode

All platforms

The suite-b gcm-128 and suite-b gcm-256 encryption options for IPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. custom certificates requires the Advanced Cryptography (ACR) license. All other parameters are available in the base operating system.

Config mode on Mobility Master.

/*]]>*/