Link Search Menu Expand Document
calendar_month 27-Jan-25

Tunnel Establishment

Gateways (not Microbranch APs) could integrate with virtually any SSE using manual IPsec tunnels and PBR policies; This would require creating “Locations”, “Sub-Locations”, “IPsec Tunnels”, unique VPN credentials, etc. for each branch site…. This can be a very labor-intensive task.

The Cloud Connect service can alleviate that task. There are two ways of integrating SD-Branch Gateways or Microbranch APs with HPE Aruba Netoworking SSE. In the fully orchestrated integration, the network and security administrator obtains an API token from the SSE dashboard, adds it to Central, and tunnels, locations, and sublocations are automatically created by Central. When using “Custom Cloud Connect”, Central handles the tunnel orchestration for Gateways and Microbranch APs, but it does not interact with the SSE API.

Table of contents

Orchestrated Integration

When using the orchestrated integration, the Cloud Connect Service, in conjunction with the SD-Branch Orchestrator, take complete ownership of the tunnel establishment between branch locations and SSE nodes. These are cloud-native, multi-tenant control plane services included as part of HPE Aruba Networking Central to automate network deployments. When building the SD-WAN fabric with the SD-Branch Orchestrator, WAN links are automatically discovered and tunnels and routes are orchestrated based on business and topological needs, such as mapping data centers to branch offices. More information can be found in the SD-Branch Orchestrator Tech Note.

Note: The fully orchestrated integration is under “Select Availability”. Please reach out to an HPE Aruba Networking representative to have this feature enabled in your Central account.

Configuration Steps

To use the orchestrated integration, you just need to follow 3 steps:

Step 1 In the HPE Aruba Networking SSE management portal: Generate a token that has read-write permissions for tunnels and locations.

Step 2 In Central: Go to Network Services > Cloud Connect > Accounts and create an HPE Aruba Networking SSE account with the token you just created.

Step 3 Also in Central: Go to Network Services > Cloud Connect > Deploy and click “connect” under the SD-Branch/Microbranch groups you wish to integrate with our SSE. You can optionally define sub-locations as part of this step.

Generate API Token

In the SSE management console, go to Settings > Admin API and into New API Token. Generate a read-write token with access to the Tunnels and Locations scopes.

Generate API Token

Create HPE Aruba SSE Account

In Central, go to Network Services > Cloud Connect > Configuration > Accounts to define an HPE Aruba Networking SSE account.

Create SSE account

Deploy Orchestration

The last and final step will be to deploy the integration to the desired SD-Branch and Microbranch groups. To do so, go to Network Services > Cloud Connect > Configuration > Deploy and click Connect on the desired groups. You can additionally define sub-locations for SD-Branch groups. Finally, click Preview and Submit.

Orchestrate Tunnels

Validate Tunnel Orchestration

As soon as this configuration is done, Cloud Connect will automatically orchestrate tunnels for all public WAN circuits from any Gateway or Microbranch AP in the selected groups. Cloud Connect will additionally monitor said groups to orchestrate tunnels for any new devices or uplinks that join the group.

To verify that things have gone as expected, you can check the following:

First, in Central, go to Network Services > Cloud Connect > List to observe the progress of the orchestration process.

Tunnel Orchestration Process

Second, in the SSE management console, go to Policy > Locations to observe how Cloud Connect has orchestrated the corresponding tunnels (and optionally, sub-locations) for every site in Central.

Locations Created in SSE

Semi-Automated Integration using Custom Cloud Connect

As mentioned, Central also provides a mechanism that can be used to integrate any SSE (including, of course, HPE Aruba Networking SSE) in a semi-automated manner where Central handles the tunnel orchestration part and the network administrator takes care of configuring the SSE.

Configuration in HPE Aruba Networking Central

Navigate to the Global context of Aruba Central and then select Network Services>Cloud Connect. Click Settings and then Custom under the Accounts page. Now click the ‘+ Plus’ sign to create a new Partner integration.

C1

Fill in the details about the new Partner Account as follows:

Name: Provide a name of your choice

Tunnel Settings: You can select one of the 9 preset Partner settings. For Axis integration, select the Aruba SSE option. An informational icon will appear and clicking on it will display the IPsec tunnel settings Aruba SD-Branch gateways and Microbranch Access Points that will be used.

Tunnel Local ID Format: Choose from using a Local FQDN Format, an Email Format, or use the WAN Public IP Address of the device which will be used when creating the Tunnel Authentication ID and Pre-shared key. For the integration with HPE Aruba Networking SSE we should use email format, as described in the SSE documentation portal.

Tunnel Local ID Suffix: Specify the Local ID Suffix for the tunnel. Cloud Connect will append that at the end of the IKE ID, generating credentials with the following format “aruba-random-hash-uplink-name@tunnel-suffix”. The generated IKE ID does not have to represent any real domain or email address. It is simply used as an identifier in the tunnel authentication process.

C2

Click the ‘+ Plus’ sign in the Remote Endpoint Definitions table to define the Axis tunnel’s endpoint. Axis provides both a primary and secondary URL which uses DNS geolocation to return the closest 2 SSE nodes to the Gateway or Microbranch location. When doing so, Cloud Connect also provides the option to include an HTTPS based, tunnel monitoring URL to validate the performance of traffic going through SSE tunnels.

Configure the primary and secondary endpoints as follows:

First Endpoint Definition:

  • Name: primary-axis-pop
  • FQDN: ipsec-proxy-geo.axisapps.io

  • Tunnel Probe Type: HTTP

  • Tunnel Monitor IP/URL: https://sp-ipsla.silverpeak.cloud

Second Endpoint Definition:

  • Name: secondary-axis-pop
  • FQDN: ipsec-proxy-secondary-geo.axisapps.io

  • Tunnel Probe Type: HTTP

  • Tunnel Monitor IP/URL: https://sp-ipsla.silverpeak.cloud

C3

After saving the SSE account and remote endpoint definitions, click on Deployment and select the Gateway groups you wish to connect to the Cloud Hubs.

C4

Preview the changes and when ready, Submit the changes. The Deployment process can take approximately 1 minute or more depending on the number of Gateways to be provisioned. Until the deployment completes, you will not be able to make any changes to the Aruba Central Gateway Group.

C5

Once the deployment is complete, you will need to download the tunnel details to add into the HPE Aruba Networking SSE Management Console. Click the List icon and select the Custom partner tab. Hover the mouse over the Group entry and then click on the ellipsis which appears and download the CSV file which contains the IPsec tunnel details.

C6

Many SSE partners allow you to simply import the tunnel details into their management portals in either CSV or JSON format. To complete the HPE Aruba Networking SSE integration, navigate to the SSE Management Console.

Configuration in HPE Aruba Networking SSE

Login to the HPE Aruba Networking SSE Management Console and navigate to Policy>Locations and add a New Location.

C7

Provide a ‘Location’ and click Submit.

C8

Commit the Changes by clicking Apply Changes.

C9

Navigate to Settings>Connectors> Tunnels and click ‘New IPsec Tunnel’ on the top right.

C10

To expedite the tunnel configuration, open the CSV file containing the IPsec Tunnel Details from Aruba Central. You will need to copy and paste the Source Identity field and PSK field into the SSE IPsec Tunnel settings.

C11

C12

Associate the tunnel to your previously created Location. Perform this step for each Gateway entry in the CSV file. After creating the two tunnels, apply the changes in the Management Console.

C13

Validate Tunnel Establishment

After the tunnels are defined, the tunnel status will change to Connected in under one minute.

C14

This can also be verified in Aruba Central by selecting the Branch Gateway object and examining the Tunnel Details.

C15

C16

Even greater detail can be shown when you SSH directly to the Gateway’s CLI. Run the command show datapath session table and use your clients IP address as a qualifier.