• All Files
Aruba Central Online Help
You are here: Home > Managing Access Points > Configuring Access Points > Configuring IPsec VPN Tunnel

Configuring IPsec VPN Tunnel

An IPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. tunnel is configured to ensure that the data flow between the networks is encrypted. When configured, the IPsec tunnel to the controller secures corporate data. You can configure an IPsec tunnel from virtual controller using Aruba Central (on-premises).

To configure an IPsec tunnel from virtual controller, complete the following steps:

  1. In the Network Operations app, set the filter to a group containing at least one AP.

    The dashboard context for the group is displayed.

  2. Under Manage, click Devices > Access Points.

    A list of APs is displayed in the List view.

  3. Click the Config icon.

    The tabs to configure the APs are displayed.

  4. Click Show Advanced.
  5. Click the VPN tab.

    The VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. page is displayed.

  6. Click the Controller accordion.
  7. In the Protocol drop-down list, select Aruba IPsec.
  8. In the Primary host field, enter the IP address or FQDNFully Qualified Domain Name. FQDN is a complete domain name that identifies a computer or host on the Internet. for the main VPN/IPsec endpoint.

  9. In the Backup host field, enter the IP address or FQDN for the backup VPN/IPsec endpoint. This entry is optional. When you enter the primary host IP address and backup host IP address, other fields are displayed.

  10. Specify the following parameters.

    1. Select the Preemption check-box to allow the VPN tunnel to switch back to the primary host when it becomes available again. This step is optional. If Preemption is enabled, specify a value in seconds for Hold time. When preemption is enabled and the primary host comes up, the VPN tunnel switches to the primary host after the specified hold-time. The default value for Hold time is 600 seconds.
    2. Select the Fast Failover check-box to allow the IAP to create a backup VPN tunnel to the controller along with the primary tunnel, and maintain both the primary and backup tunnels separately. When fast failover is enabled and if the primary tunnel fails, the IAP can switch the data stream to the backup tunnel. This reduces the total failover time to less than one minute.
    3. Specify a value in seconds for Secs Between Test Packets. Based on the configured frequency, the IAP can verify if an active VPN connection is available. The default value is 5 seconds, which means that the IAP sends one packet to the controller every 5 seconds.
    4. Enter a value for Max Allowed Test Packet Loss to define a number for lost packets, after which the IAP can determine that the VPN connection is unavailable. The default value is 2.
    5. Select the Reconnect User On Failover check-box to disconnect all wired and wireless users when the system switches during VPN tunnel transition from primary to backup and backup to primary.
    6. Specify a value in seconds for Reconnect Time On Failover to configure an interval for which wired and wireless users are disconnected during a VPN tunnel switch. By default, the reconnection duration is set to 60 seconds. The Reconnect Time on Failover field is displayed only when Reconnect User On Failover is enabled.
    7. From the Branch Name drop-down list, select the branch name.

    11. When the IPsec tunnel configuration is completed, the packets that are sent from and received by an IAP are encrypted.

  11. Click Save Settings.

You will be unable to upload the self-signed certificate from Aruba Central. You must upload the self-signed certificate to Aruba ActivateAruba Activate is a cloud-based service that helps provision your Aruba devices and maintain your inventory. Activate automates the provisioning process, allowing a single IT technician to easily and rapidly deploy devices throughout a distributed enterprise network. followed by the AP reboot procedure. When the AP contacts Aruba Activate, the Aruba Activate informs the AP about the self-signed AP certificate that is required to be downloaded. The AP then installs a new certificate before connecting to Aruba Central. For more information, see Aruba Activate User Guide.