Understanding VPN Features

As Instant APs use a virtual controller architecture, the Instant AP network does not require a physical controller to provide the configured WLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. services. However, a physical controller is required for terminating VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. tunnels from the Instant AP networks at branch locations to data centers, where the Aruba controller acts as a VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. concentrator.

When a VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. is configured, the Instant AP acting as the virtual controller creates a VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. tunnel to an Aruba Mobility Controller in your corporate office. The controller acts as a VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. endpoint and does not supply the Instant AP with any configuration.

The VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. features are recommended for the following setups:

Enterprises with many branches that do not have a dedicated VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. connection to the corporate office.

Branch offices that require multiple Instant APs.

Individuals working from home and, connecting to the VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two..

The survivability feature of Instant APs with the VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. connectivity of Remote APs allows you to provide corporate connectivity on non-corporate networks.

Supported VPN Protocols

Instant supports the following VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. protocols for remote access:

Table 1: VPN Protocols

VPN Protocol

Description

Aruba IPsec

IPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. is a protocol suite that secures IP communications by authenticating and encrypting each IP packet of a communication session.

You can configure an IPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. tunnel to ensure that the data flow between the networks is encrypted. However, you can configure a split-tunnel to encrypt only the corporate traffic.

When IPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. is configured, ensure that you add the Instant AP MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. addresses to the whitelist database stored on the controller or an external server. IPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. supports Local, L2, and L3 modes of IAP-VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. operations.

NOTE: The Instant APs support IPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. only with Aruba Controllers.

Layer-2 GRE

GREGeneric Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. is a tunnel protocol for encapsulating multicast, broadcast, and L2 packets between a GREGeneric Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network.-capable device and an endpoint. Instant APs support the configuration of L2 GREGeneric Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. tunnel with an Aruba controller to encapsulate the packets sent and received by the Instant AP.

You can use the GREGeneric Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. configuration for L2 deployments when there is no encryption requirement between the Instant AP and controller for client traffic.

Instant APs support two types of GREGeneric Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. configuration:

Manual GRE—The manual GREGeneric Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. configuration sends unencrypted client traffic with an additional GREGeneric Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. header and does not support failover. When manual GREGeneric Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. is configured on the Instant AP, ensure that the GREGeneric Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. tunnel settings are enabled on the controller.

Aruba GRE—With Aruba GREGeneric Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network., no configuration on the controller is required except for adding the Instant AP MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. addresses to the whitelist database stored on the controller or an external server. Aruba GREGeneric Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. reduces manual configuration when Per-AP tunnel configuration is required and supports failover between two GREGeneric Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. endpoints.

NOTE: Instant APs support manual and Aruba GREGeneric Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. configuration only for L2 mode of operations. Aruba GREGeneric Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. configuration is supported only on Aruba Controllers.

Diffie-Hellman Algorithm

Diffie-Hellman is a key agreement algorithm that allows two parties to agree upon a shared secret, and is used within IKEInternet Key Exchange. IKE is a key management protocol used with IPsec protocol to establish a secure communication channel. IKE provides additional feature, flexibility, and ease of configuration for IPsec standard. to securely establish session keys.

Instant supports the following Diffie-Hellman groups:

Group 2: 1024-bit Diffie–Hellman prime modulus group

Group 14: 2048-bit Diffie–Hellman prime modulus group

By default, Instant APs attempt to use Diffie–Hellman Group 2 to set up an IAP VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. connection. If the controller rejects Diffie–Hellman Group 2, the Instant APs can use Diffie–Hellman Group 14.

 

Diffie–Hellman Group 2 is not permitted if FIPSFederal Information Processing Standards. FIPS refers to a set of standards that describe document processing, encryption algorithms, and other information technology standards for use within non-military government agencies, and by government contractors and vendors who work with these agencies. mode is enabled on an Instant AP.

Enabling Cipher Algorithms

Starting from Instant 8.4.0.0, you can configure the following ciphers based on your preference, to establish an SSHSecure Shell. SSH is a network protocol that provides secure access to a remote device. connection with the Instant AP:

AESAdvanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits.-CBC

AESAdvanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits.-CTR

 

You cannot disable both the ciphers together. At any given point in time, either one of both the ciphers will be enabled.

By default, these ciphers are enabled. You can configure the ciphers by using the CLICommand-Line Interface. A console interface with a command line shell that allows users to execute text input as commands and convert these commands to appropriate functions..

In the CLI

The following command enables AESAdvanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits.-CBC and disables AESAdvanced Encryption Standard. AES is an encryption standard used for encrypting and protecting electronic data. The AES encrypts and decrypts data in blocks of 128 bits (16 bytes), and can use keys of 128 bits, 192 bits, and 256 bits.-CTR on the SSHSecure Shell. SSH is a network protocol that provides secure access to a remote device. server:

(Instant AP)(config) #ssh disable-ciphers aes-ctr

The following command enables the disabled cipher encryptions on the SSHSecure Shell. SSH is a network protocol that provides secure access to a remote device. server:

(Instant AP)(config) #no ssh disable-ciphers

The following command displays the SSHSecure Shell. SSH is a network protocol that provides secure access to a remote device. configuration details:

(Instant AP) #show ssh