Link Search Menu Expand Document
calendar_month 29-Apr-24

Gateway Configuration

The configuration on Aruba Gateways can be divided into 4 parts:

· Custom Cloud Connect Configuration.

· NextHop Configuration and Policies within the list.

· Policy-Based Routing to re-direct only relevant traffic through SSE tunnels.

· Applying the PBR policy to relevant Roles or VLANs.

Custom Cloud Connect Configuration

A new feature in Aruba’s SD-Branch solution provides for an easy-to-use workflow useful for integrating various Cloud SSE providers including Axis. IPsec tunnel configuration settings have been preconfigured based on the Vendor selected.

Partner integration is performed at the Global level and all the IPsec configurations will be applied at the device level.

Navigate to the Global context of Aruba Central and then select Network Services>Cloud Connect. Click Settings and then Custom under the Accounts page. Now click the ‘+ Plus’ sign to create a new Partner integration.

C1

Fill in the details about the new Partner Account as follows:

Name: Provide a name of your choice

Tunnel Settings: You can select one of the 9 preset Partner settings. For Axis integration, select the Aruba SSE option. An informational icon will appear and clicking on it will display the IPsec tunnel settings Aruba SD-Branch gateways and Microbranch Access Points that will be used.

Tunnel Local ID Format: Choose from using a Local FQDN Format, an Email Format, or use the WAN Public IP Address of the device which will be used when creating the Tunnel Authentication ID and Pre-shared key. For the integration with HPE Aruba Networking SSE we should use email format, as described in the SSE documentation portal.

Tunnel Local ID Suffix: Specify the Local ID Suffix for the tunnel. Cloud Connect will append that at the end of the IKE ID, generating credentials with the following format “aruba-random-hash-uplink-name@tunnel-suffix”. The generated IKE ID does not have to represent any real domain or email address. It is simply used as an identifier in the tunnel authentication process.

C2

Click the ‘+ Plus’ sign in the Remote Endpoint Definitions table to define the Axis tunnel’s endpoint. Axis provides both a primary and secondary URL which uses DNS geolocation to return the closest 2 SSE nodes to the Gateway or Microbranch location. When doing so, Cloud Connect also provides the option to include an HTTPS based, tunnel monitoring URL to validate the performance of traffic going through SSE tunnels.

Configure the primary and secondary endpoints as follows:

First Endpoint Definition:

  • Name: primary-axis-pop
  • FQDN: ipsec-proxy-geo.axisapps.io

  • Tunnel Probe Type: HTTP

  • Tunnel Monitor IP/URL: https://sp-ipsla.silverpeak.cloud

Second Endpoint Definition:

  • Name: secondary-axis-pop
  • FQDN: ipsec-proxy-secondary-geo.axisapps.io

  • Tunnel Probe Type: HTTP

  • Tunnel Monitor IP/URL: https://sp-ipsla.silverpeak.cloud

C3

After saving the SSE account and remote endpoint definitions, click on Deployment and select the Gateway groups you wish to connect to the Cloud Hubs.

C4

Preview the changes and when ready, Submit the changes. The Deployment process can take approximately 1 minute or more depending on the number of Gateways to be provisioned. Until the deployment completes, you will not be able to make any changes to the Aruba Central Gateway Group.

C5

Once the deployment is complete, you will need to download the tunnel details to add into the HPE Aruba Networking SSE Management Console. Click the List icon and select the Custom partner tab. Hover the mouse over the Group entry and then click on the ellipsis which appears and download the CSV file which contains the IPsec tunnel details.C6

Many SSE partners allow you to simply import the tunnel details into their management portals in either CSV or JSON format. To complete the HPE Aruba Networking SSE integration, navigate to the SSE Management Console.

HPE Aruba Networking SSE Configuration

Login to the HPE Aruba Networking SSE Management Console and navigate to Policy>Locations and add a New Location.

C7

Provide a ‘Location’ and click Submit.

C8

Commit the Changes by clicking Apply Changes.

C9

Navigate to Settings>Connectors> Tunnels and click ‘New IPsec Tunnel’ on the top right.

C10

To expedite the tunnel configuration, open the CSV file containing the IPsec Tunnel Details from Aruba Central. You will need to copy and paste the Source Identity field and PSK field into the SSE IPsec Tunnel settings.

C11

C12

Associate the tunnel to your previously created Location. Perform this step for each Gateway entry in the CSV file. After creating the two tunnels, apply the changes in the Management Console.

C13

After the tunnels are defined, the tunnel status will change to Connected in under one minute.

C14

This can also be verified in Aruba Central by selecting the Branch Gateway object and examining the Tunnel Details.

C15

C16

Even greater detail can be shown when you SSH directly to the Gateway’s CLI. Run the command show datapath session table and use your clients IP address as a qualifier.


Back to top

© Copyright 2024 Hewlett Packard Enterprise Development LP. The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. Aruba Networks and the Aruba logo are registered trademarks of Aruba Networks, Inc. Third-party trademarks mentioned are the property of their respective owners. To view the end-user software agreement, go to Aruba EULA.