Link Search Menu Expand Document
calendar_month 07-Mar-24

VPNC Traffic Forwarding through Aruba SSE

In the some circumstances, customer will want to forward traffic to Aruba’s SSE directly from their VPNCs or headend gateways. This process is similar to the workflow required to orchestrate tunnels for Branch Gateways as well as Microbranch APs.

Navigate to Global>Network Services>Cloud Connect and then select the CUSTOM tab under Group Connections. Here you will see what other Gateway and Microbranch groups you have deployed the Aruba SSE to. Click on Settings and then select Deployment and then select the SSE provider to select and deploy a new VPNC group.

Select the Group you want to deploy, and then under the Cloud Hubs table, expand the Aruba SSE account and select which Remote Endpoints you want to use and as either the Primary and/or Secondary connection. When complete, click Preview to review the changes and then Submit to complete the Group to Cloud Hub Connection.

Deploying the changes can take several minutes and while taking place, further changes are temporarily disabled for that Group.

The final step is to now download the tunnel details so that they can be loaded into the Atmos portal. Click on the List icon and then navigate to to the CUSTOM Group Connection tab. Hover over the newly deployed Group and click on the ellipsis that appears. Now download the tunnel details either in CSV or JSON format. For the Aruba SSE solution, choose the CSV option.

Refer to the Aruba SSE Secure Web Gateway section as to how to create your Location and import the VPNC tunnel details from Central.

Once the VPNC tunnels are established, the next step is to make sure that the relevant traffic is forwarded through these tunnels to the SWG service.

Traffic Forwarding with a Head End Gateway (VPNC)

The next step would then be to organize tunnels into a “next-hop-list” so they can be used by WAN and routing policies. This can be achieved by navigating to Routing>NextHop Configuration and creating a new Nexthop-List. Click the + Plus sign in the Nexthop table to create the new list.

Name the NHL and then assign the IPsec Maps to it. You can also assign SLAs to each IPsec map if desired.

Once the Nexthop-List is created, you can use this together with a PBR policy to direct traffic into the HPE Aruba Networking SSE.

Click on the Policy-Based Routing tab to continue the configuration. Click the + Plus sign to create a new PBR Policy. Below is a sample policy to redirect traffic into the SSE.

Applying the PBR policy to relevant Roles or VLANs

Next step is to assign the previously created policies to the relevant Roles or VLANs. Previous examples have shown how to add the PBR policy to a user role as well as a VLAN on the Branch Gateway. In this example, the PBR policy will be applied to the User’s Gateway Role which is created automatically when the Microbranch WLAN profile is created. Navigate to Security>Roles and select the Microbranch WLAN user role. Click the + Plus sign to add the PBR Policy to the user role.

Select the Policy type as Route and then select your previously created PBR policy from the dropdown list.

Apply the policy and then you can test whether the redirection is occurring as desired.


Back to top

© Copyright 2024 Hewlett Packard Enterprise Development LP. The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. Aruba Networks and the Aruba logo are registered trademarks of Aruba Networks, Inc. Third-party trademarks mentioned are the property of their respective owners. To view the end-user software agreement, go to Aruba EULA.