Tunnel Establishment
Gateways (not Microbranch APs) could integrate with virtually any SSE using manual IPsec tunnels and PBR policies; This would require creating “Locations”, “Sub-Locations”, “IPsec Tunnels”, unique VPN credentials, etc. for each branch site…. This can be a very labor-intensive task.
The Cloud Connect service can alleviate that task. There are two ways of integrating SD-Branch Gateways or Microbranch APs with HPE Aruba Netoworking SSE. In the fully orchestrated integration, the network and security administrator obtains an API token from the SSE dashboard, adds it to Central, and tunnels, locations, and sublocations are automatically created by Central. When using “Custom Cloud Connect”, Central handles the tunnel orchestration for Gateways and Microbranch APs, but it does not interact with the SSE API.
Table of contents
Orchestrated Integration
When using the orchestrated integration, the Cloud Connect Service, in conjunction with the SD-Branch Orchestrator, take complete ownership of the tunnel establishment between branch locations and SSE nodes. These are cloud-native, multi-tenant control plane services included as part of HPE Aruba Networking Central to automate network deployments. When building the SD-WAN fabric with the SD-Branch Orchestrator, WAN links are automatically discovered and tunnels and routes are orchestrated based on business and topological needs, such as mapping data centers to branch offices. More information can be found in the SD-Branch Orchestrator Tech Note.
Note: The fully orchestrated integration is under “Select Availability”. Please reach out to an HPE Aruba Networking representative to have this feature enabled in your Central account.
Configuration Steps
To use the orchestrated integration, you just need to follow 3 steps:
Step 1 In the HPE Aruba Networking SSE management portal: Generate a token that has read-write permissions for tunnels and locations.
Step 2 In Central: Go to Network Services > Cloud Connect > Accounts and create an HPE Aruba Networking SSE account with the token you just created.
Step 3 Also in Central: Go to Network Services > Cloud Connect > Deploy and click “connect” under the SD-Branch/Microbranch groups you wish to integrate with our SSE. You can optionally define sub-locations as part of this step.
Generate API Token
In the SSE management console, go to Settings > Admin API and into New API Token. Generate a read-write token with access to the Tunnels and Locations scopes.
Create HPE Aruba SSE Account
In Central, go to Network Services > Cloud Connect > Configuration > Accounts to define an HPE Aruba Networking SSE account.
Deploy Orchestration
The last and final step will be to deploy the integration to the desired SD-Branch and Microbranch groups. To do so, go to Network Services > Cloud Connect > Configuration > Deploy and click Connect on the desired groups. You can additionally define sub-locations for SD-Branch groups. Finally, click Preview and Submit.
Validate Tunnel Orchestration
As soon as this configuration is done, Cloud Connect will automatically orchestrate tunnels for all public WAN circuits from any Gateway or Microbranch AP in the selected groups. Cloud Connect will additionally monitor said groups to orchestrate tunnels for any new devices or uplinks that join the group.
To verify that things have gone as expected, you can check the following:
First, in Central, go to Network Services > Cloud Connect > List to observe the progress of the orchestration process.
Second, in the SSE management console, go to Policy > Locations to observe how Cloud Connect has orchestrated the corresponding tunnels (and optionally, sub-locations) for every site in Central.
Semi-Automated Integration using Custom Cloud Connect
As mentioned, Central also provides a mechanism that can be used to integrate any SSE (including, of course, HPE Aruba Networking SSE) in a semi-automated manner where Central handles the tunnel orchestration part and the network administrator takes care of configuring the SSE.
Configuration in HPE Aruba Networking Central
Navigate to the Global context of Aruba Central and then select Network Services>Cloud Connect. Click Settings and then Custom under the Accounts page. Now click the ‘+ Plus’ sign to create a new Partner integration.
Fill in the details about the new Partner Account as follows:
Name: Provide a name of your choice
Tunnel Settings: You can select one of the 9 preset Partner settings. For Axis integration, select the Aruba SSE option. An informational icon will appear and clicking on it will display the IPsec tunnel settings Aruba SD-Branch gateways and Microbranch Access Points that will be used.
Tunnel Local ID Format: Choose from using a Local FQDN Format, an Email Format, or use the WAN Public IP Address of the device which will be used when creating the Tunnel Authentication ID and Pre-shared key. For the integration with HPE Aruba Networking SSE we should use email format, as described in the SSE documentation portal.
Tunnel Local ID Suffix: Specify the Local ID Suffix for the tunnel. Cloud Connect will append that at the end of the IKE ID, generating credentials with the following format “aruba-random-hash-uplink-name@tunnel-suffix”. The generated IKE ID does not have to represent any real domain or email address. It is simply used as an identifier in the tunnel authentication process.
Click the ‘+ Plus’ sign in the Remote Endpoint Definitions table to define the Axis tunnel’s endpoint. Axis provides both a primary and secondary URL which uses DNS geolocation to return the closest 2 SSE nodes to the Gateway or Microbranch location. When doing so, Cloud Connect also provides the option to include an HTTPS based, tunnel monitoring URL to validate the performance of traffic going through SSE tunnels.
Configure the primary and secondary endpoints as follows:
First Endpoint Definition:
- Name: primary-axis-pop
FQDN: ipsec-proxy-geo.axisapps.io
Tunnel Probe Type: HTTP
- Tunnel Monitor IP/URL: https://sp-ipsla.silverpeak.cloud
Second Endpoint Definition:
- Name: secondary-axis-pop
FQDN: ipsec-proxy-secondary-geo.axisapps.io
Tunnel Probe Type: HTTP
- Tunnel Monitor IP/URL: https://sp-ipsla.silverpeak.cloud
After saving the SSE account and remote endpoint definitions, click on Deployment and select the Gateway groups you wish to connect to the Cloud Hubs.
Preview the changes and when ready, Submit the changes. The Deployment process can take approximately 1 minute or more depending on the number of Gateways to be provisioned. Until the deployment completes, you will not be able to make any changes to the Aruba Central Gateway Group.
Once the deployment is complete, you will need to download the tunnel details to add into the HPE Aruba Networking SSE Management Console. Click the List icon and select the Custom partner tab. Hover the mouse over the Group entry and then click on the ellipsis which appears and download the CSV file which contains the IPsec tunnel details.
Many SSE partners allow you to simply import the tunnel details into their management portals in either CSV or JSON format. To complete the HPE Aruba Networking SSE integration, navigate to the SSE Management Console.
Configuration in HPE Aruba Networking SSE
Login to the HPE Aruba Networking SSE Management Console and navigate to Policy>Locations and add a New Location.
Provide a ‘Location’ and click Submit.
Commit the Changes by clicking Apply Changes.
Navigate to Settings>Connectors> Tunnels and click ‘New IPsec Tunnel’ on the top right.
To expedite the tunnel configuration, open the CSV file containing the IPsec Tunnel Details from Aruba Central. You will need to copy and paste the Source Identity field and PSK field into the SSE IPsec Tunnel settings.
Associate the tunnel to your previously created Location. Perform this step for each Gateway entry in the CSV file. After creating the two tunnels, apply the changes in the Management Console.
Validate Tunnel Establishment
After the tunnels are defined, the tunnel status will change to Connected in under one minute.
This can also be verified in Aruba Central by selecting the Branch Gateway object and examining the Tunnel Details.
Even greater detail can be shown when you SSH directly to the Gateway’s CLI. Run the command show datapath session table and use your clients IP address as a qualifier.