Filter
Top Products
667 | AddingLocalControllers DellPowerConnectW-SeriesArubaOS6.2 | User Guide
You can use a preshared key (PSK) or a certificate to create IPSec tunnels between a master and backup master Dell
controllers and between master and local Dell controllers. These inter-controller IPSec tunnels carry management
traffic such as mobility, configuration, and master-local information.
NOTE: An inter-controller IPSec tunnel can be used to route data between networks attached to the Dell controllers if you have
installed PEFV licenses in the Dell controllers. To route traffic, configure a static route on each controller specifying the destination
network and the name of the IPSec tunnel.
There is a default PSK to allow inter-controller communications, however, for security you need to configure a
unique PSK for each controller pair. You can use either the WebUI or CLI to configure a 6-64 character PSK on
master and local Dell controllers. To configure a unique PSK for each controller pair, you must configure the master
controller with the IP address of the local and the PSK, and configure the local controller with the IP address of the
master and the PSK.
You can configure a global PSK for all master-local communications, although this is not recommended for networks
with more than two Dell controllers. On the master controller, use 0.0.0.0 for the IP address of the local. On the local
controller, configure the IP address of the master and the PSK.
The local controller can be located behind a NAT device or over the Internet. On the local controller, when you
specify the IP address of the master controller, use the public IP address for the master.
If your master and local Dell controllers use a pre-shared key for authentication, the IPsec tunnel will be created
using IKEv1. If they use a factory-installed or custom certificate, they will use IKEv2 to create the IPsec tunnel.
Controllers using IKEv2 and custom-installed certificates can optionally use Suite-B encryption for IPsec encryption.
For details and requirements for Suite-B encryption, see "Configuring an SSID for Suite-B Cryptography" on page
329.
Configuring a Preshared Key
Leaving the PSK set to the default value exposes the IPSec channel to serious risk, therefore you should always
configure a unique PSK for each controller pair.
Sharing the same PSK between more than two Dell controllers increases the likelihood of compromise. If one
controller is compromised, all Dell controllers are compromised. Therefore, best security practices include configuring
a unique PSK for each controller pair
WARNING: Do not use the default global PSK on a master or stand-alone controller. If you have a multi-controller network then
configure the local Dell controllers to match the new IPSec PSK key on the master controller.
Weak keys are susceptible to offline dictionary attacks, meaning that a hostile eavesdropper can capture a few
packets during connection setup and derive the PSK, thus compromising the connection. Therefore the PSK
selection process should be the same process as selecting a strong passphrase:
l the PSK should be at least ten characters in length
l the PSK should not be a dictionary word
l the PSK should combine characters from at least three of the following four groups:
n lowercase characters
n uppercase characters
n numbers
n punctuation or special characters, such as ~‘@#$%^&*()_-+=\|//.[]{}
The following sections describe how to configure a PSK using the WebUI or CLI.