Create IPsec tunnels in Aruba EdgeConnect SD-WAN

Before you begin:

  1. Prepare for SD-WAN setup.

  2. Make sure you’ve configured IPsec credentials in ETP. For instructions, see Configure IPsec credentials in ETP.

These are the high-level steps that are required to configure a primary and secondary tunnel between Aruba EdgeConnect and ETP.

To create IPsec tunnels in Aruba EdgeConnect:

  1. Identify the ​Akamai​ Peer VIPs.

  2. Configure the primary and secondary IPsec tunnels.

  3. Configure a Business Intent Overlay (BIO).

  4. Apply the overlay to the SD-WAN appliance

Identify the ​Akamai​ Peer VIPs

To configure the primary and secondary IPsec tunnels in Aruba EdgeConnect, you must determine the IP addresses that are associated with the primary and secondary IPsec fully qualified domain names. These virtual IP addresses (VIPs) are required to identify Akamai’s point-of-presence (PoP) or ETP Proxy that’s closest to your organization’s branch. When you enter this information in Aruba Orchestrator, it allows you to direct traffic from Aruba EdgeConnect to ETP Proxy.

You perform this procedure from the Aruba orchestrator appliance.

To identify the peer VIPs:

  1. Log in to Aruba Orchestrator.

  2. From the list of appliances, go to your SD-WAN appliance.

  3. Right-click the appliance and select CLI Session. The CLI appears.

  4. Enter this command to see the IP address that resolves from the primary IPsec FQDN and press Enter:

    ping primary.ipsec.akaetp.net

    The IP address and other information appears. Take note of the IP address. You will need this information when you configure the primary tunnel.

  5. Enter this command to see the IP address that resolves from the secondary IPsec FQDN and press Enter.

    ping secondary.ipsec.akaetp.net

    The IP address and other information appears. Take note of the IP address. You will need this information when you configure the secondary tunnel.

Next step:

Configure the primary and secondary IPsec tunnels

Configure the primary and secondary IPsec tunnels

Complete this procedure to configure the primary and secondary IPsec tunnels in Aruba EdgeConnect.

To configure the primary and secondary IPsec tunnels:

  1. From the Aruba EdgeConnect navigation menu, select Configuration > Tunnels.

  2. Click the Tunnels tab.

  3. Select your appliance from the list of appliances on the left to narrow the list of tunnels.

  4. Select the Passthrough tab.

  5. Click the edit icon that’s associated with Passthrough-wan0 tunnel.

  6. In the Tunnels dialog, make sure the Passthrough tab is selected, and then select Add Tunnel. The Add Passthrough Tunnel dialog appears.

  7. Configure the General settings:

    1. In the Alias field, enter a name for the tunnel. For example, IPsec_Primary.

    2. In the Mode menu, select IPSec.

    3. In the Admin menu, select up.

    4. In the Local IP field, enter the public IP address of your branch. This is the IP address that you used in the ETP location configuration.

    5. In the Remote IP field, enter the IP address for the primary.ipsec.akaetp.net FQDN that you resolved in Identify the ​Akamai​ Peer VIPs.

    6. In the Peer/Service field, enter Akamai_ETP_Primary.

  8. Configure the IKE settings:

    1. Click the IKE tab in the dialog.

    2. In the IKE Version menu, select IKE v2.

    3. In the Preshared Key field, enter the PSK that you generated and also provided in ETP.

    4. For the Authentication Algorithm, select SHA2-256.

    5. For the Encryption Algorithm, select AES-256.

    6. For the Diffie-Hellman Group, select 14 or above.

    7. In the Local IKE Identifier field, enter the IKE ID that you configured in ETP. For more information, see Configure IPsec credentials in ETP.

    8. For the Remote IKE Identifier, enter the IP address for the primary.ipsec.akaetp.net FQDN that you resolved in Identify the ​Akamai​ Peer VIPs.

  9. Configure the IPsec settings:

    1. Click the IPsec tab in the dialog.

    2. In the Authentication Algorithm menu, select SHA2-256.

    3. In the Encryption Algorithm menu, select AES-256.

  10. Click Save. The tunnel is created and available in the list of tunnels. If necessary, click the refresh button to show the new tunnel.

  11. Complete steps 5-10 for the secondary tunnel. Make sure that you enter information that’s specific for the secondary tunnel. For example, for the remote IP address and remote IKE Identifier, enter the IP address that resolves to secondary.ipsec.akametp.net. In the Peer/Service field for the General settings, enter Akamai_ETP_Secondary.

Next step

Configure a Business Intent Overlay (BIO)

Configure a Business Intent Overlay (BIO)

A Business Intent Overlay (BIO) specifies how traffic is routed.

To configure a business intent overlay:

  1. From the Aruba EdgeConnect navigation menu, select Configuration > Business Intent Overlays. A list of Business Intent Overlays appears.

  2. Click +New to add a new overlay.

  3. In the Create Overlay dialog, enter a name for the overlay and click Add.

  4. In the SD-WAN Traffic to Internal Subnets tab, drag and drop the INET1 and INET2 from the available interfaces into the Primary section. Make sure the interfaces are assigned to the same Cross Connect group.

  5. In the Breakout Traffic to Internet & Cloud Services tab, complete these steps:

    1. In the Available Policies list, find the primary and secondary policies you created. If the primary or secondary tunnels are not listed, click the edit icon next to Available Policies and search for the tunnels. You can find these tunnels and select to add them from the dialog to the Available Policies list.

    2. Drag and drop the primary and secondary tunnels from the Available Policies to the Preferred Policy Order area. Make sure that the primary tunnel is listed above the secondary tunnel to indicate that it’s higher in priority.

  6. Configure an access control list to ensure Aruba EdgeConnect management traffic that goes to the *silverpeak.cloud domain is not directed to ETP proxy.

    1. In the Overlay Configuration dialog, for the Match menu, select Overlay ACL.
    1. In the Match field, click the edit icon. The Associate ACL dialog appears.

    2. Click Add Rule.

    3. For the Match Criteria, click the edit icon.

    4. In the Match Criteria dialog, click More Options and then select Domain.

    5. Enter the domain *silverpeak.cloud, and click Save.

    6. In the Associate ACL dialog, select deny as the Permit setting for the *silverpeak.cloud domain.

  7. Configure an access control list to ensure that web traffic is directed to ETP Proxy:

    1. In the Associate ACL dialog, click Add Rule.

    2. For the Match Criteria, click the edit icon.

    3. In the Match Criteria dialog, click More Options and then select Port.

    4. Enter 80 | 443.

    5. Click Save.

  8. Click Save to save all of your access control lists, and then click OK to save the overlay configuration.

  9. In the Business Intent Overlays tab, find the overlay you created and drag it to the top of the list. Make sure the overlay is positioned in priority 1.

  10. Click Save and Apply Changes to Overlays. A dialog appears where you confirm changes. Click Save.

Next step:

Apply the overlay to the SD-WAN appliance

Apply the overlay to the SD-WAN appliance

Complete this procedure to apply the overlay that you created to your SD-WAN appliance.

To apply the overlay to the appliance:

  1. In the Business Intent Overlays tab, click Apply Overlays. The Apply Overlay tab appears.

  2. Select Add for the overlay that you created. This action associates the overlay to the appliance.

  3. Click Apply. A confirmation message appears.

  4. Click Apply Overlays.


Did this page help you?