虛擬控制器因為缺少TPM(Trusted Platform Module)模組,且TPM憑證是放在MM(Mobilty Master)上,因此直接使用AP內建憑證會無法使用,需要使用自簽(self-signed)憑證。
首先先讓AP以CAP模式跟控制器報到,之後如圖設定:
Deployment: Remote
Authentication: Certificate
Truset anchor: self-signed
RAP除了需要切換模式之外,還需要設一組內部IP,供RAP跟控制器以Tunnel溝通使用。
如果從VMC看LOG出現以下,代表ip pool沒有設定,因此get ip address失敗。
Apr 6 11:06:55 2023 isakmpd[6313]: <103103> <6313> <WARN> |ike| 172.16.3.128:56221-> IKE SA Deletion: IKE2_delSa peer:172.16.3.128:56221 id:2674563824 errcode:ERR_IKESA_CLEARED saflags:0x51 arflags:0x801
Apr 6 11:06:55 2023 isakmpd[6313]: <103061> <6313> <ERRS> |ike| Unable to get IPv4 Address from pool
Apr 6 11:06:55 2023 l2tp[6587]: <306419> <6587> <ERRS> |l2tp| shared_cli_get_addr(): Caller:ike. Failed to get ip address from L2TP pool:default-l2tp-pool.
Apr 6 11:06:55 2023 isakmpd[6313]: <103061> <6313> <ERRS> |ike| Unable to get IPv4 Address from pool