IPSec Proxy-ID

Proxy-IDs are entities that are used in IPSec tunnel negotiations (Phase-2 in case of IKEv1) to select which traffic actually goes to the tunnel. The always come in pairs (a sort of tuples) as Local+Remote. So in case of Cisco ASA or IOS-based router, when you make an ACL something like:

permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0

You define 192.168.1.0/24 as Local Proxy ID and 10.1.1.0/24 as remote Proxy ID. I used subnet mask as in ASA, IOS-based routers use wilcard masks for ACL statements, but the idea is the same.

When the other end device receives this data it swaps Local and Remote Proxy IDs and starts looking for  a match in its configuration. I.e. for IPSec security associacions to get established successfully the following definition needs to be found:

Local Proxy ID Remote Proxy ID
10.1.1.0/24 192.168.1.0/24

and it has to match exactly.

A common doubt is whether it is possible to configure IPSec something like this:

Peer A:

permit ip 10.1.1.0 255.255.255.128 192.168.1.0 255.255.255.0

permit ip 10.1.1.128 255.255.255.128 192.168.1.0 255.255.255.0

Peer B

permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0

And have the tunnel successfully established between 10.1.1.0/24 and 192.168.1.0/24? Two statements configured on Peer A match the same set of IP-addresses as statement configured on Peer B. So everything seems to be ok.

Well, it is not. As per configuration Peer A will generate two pairs of proxy ID (10.1.1.0/25, 192.168.1.0/24) and (10.1.1.128/25, 192.168.1.0/24) and send it to Peer B. Peer B will be waiting for (10.1.1.0/24, 192.168.1.0/24) and will not accept neither of pairs received from Peer A. The opposite way same thing will happen. Peer B will be sending (192.168.1.0/24, 10.1.1.0/24) and Peer A will reject it waiting for two Proxy-IDs pairs which are exactly inverse to the ones it has configured.

You will see a message similar to this in debug output:

[IKEv1]Group = 172.16.66.46, IP = 172.16.66.46, Rejecting IPSec tunnel: no matching crypto map entry for remote proxy 192.168.1.0/255.255.255.0/0/0 local proxy 10.1.1.0/255.255.255.0/0/0 on interface outside

To see this error you have to check debug on peer who receives the Proxy-ID pair. The one that sends it will just keep sending it and failing to establish the tunnel. This is generally a good hint for IPSec troubleshooting – always try to debug at the receiver side, because this is the one that compalins and reports errors.

So, whatever equipment you use from whatever vendor. The configuration that defines proxy IDs (in case of Cisco it is done with ACL statements) on one peer always has to be the mirror of the one from another peer.

Cisco AireOS Controller: How to Configure WLAN Over CLI

Cisco WLC command-line interface can be do a good job if you want to configure something really quickly.

Below is my example on how to configure SSID with basic radio and security (Pre-Shared Key) settings using CLI. Just substitute what is in bold with your own values, copy and paste it to WLC and you are done. Much faster than browsing the GUI looking for boxes to tick.

I have also come up with very basic Python script that just asks you all the parameters needed and then generates all the necessary command lines. Feel free to contact me if you want me to share it.

RF-Profiles with lower datarates disabled

config rf-profile create 802.11b Disable-Lowrate-24GHz-rfp

config rf-profile data-rates 802.11b disabled 1  Disable-Lowrate-24GHz-rfp
config rf-profile data-rates 802.11b disabled 2  Disable-Lowrate-24GHz-rfp
config rf-profile data-rates 802.11b disabled 5.5  Disable-Lowrate-24GHz-rfp
config rf-profile data-rates 802.11b disabled 6  Disable-Lowrate-24GHz-rfp
config rf-profile data-rates 802.11b disabled 9  Disable-Lowrate-24GHz-rfp
config rf-profile data-rates 802.11b disabled 11  Disable-Lowrate-24GHz-rfp
config rf-profile data-rates 802.11b mandatory 12  Disable-Lowrate-24GHz-rfp

config rf-profile create 802.11a Disable-Lowrate-5GHz-rfp
config rf-profile data-rates 802.11a disabled 6  Disable-Lowrate-5GHz-rfp
config rf-profile data-rates 802.11a disabled 9  Disable-Lowrate-5GHz-rfp
config rf-profile data-rates 802.11a mandatory 12  Disable-Lowrate-5GHz-rfp

Dynamic interface

config interface create Dynamic-Interface-Name VLAN-ID
config interface address dynamic-interface Dynamic-Interface-Name 10.1.1.16 255.255.255.0 10.1.1.1
config interface dhcp dynamic-interface Dynamic-Interface-Name primary 172.23.1.25 secondary 172.23.1.26

WLAN:

config wlan create WLAN-ID SSID-prf SSID-Name
config wlan interface WLAN-ID SSID-Name
config wlan security wpa wpa2 ciphers aes enable WLAN-ID
config wlan security wpa akm 802.1x disable WLAN-ID
config wlan security wpa akm psk enable WLAN-ID
config wlan security wpa akm psk set-key ascii SecurePreSharedKey WLAN-ID

AP Group:

config wlan apgroup add APGroup-Name
config wlan apgroup description APGroup-Name APGroup-Description

Dynamic interface and APs to AP group mapping

config wlan apgroup interface-mapping add APGroup-Name WLAN-ID Dynamic-Interface-Name

config ap group-name APGroup-Name AP1-Name

config ap group-name APGroup-Name AP2-Name

config ap group-name APGroup-Name AP3-Name

Enabling WLAN

config wlan enable WLAN-ID