Find IP range used by Aerohive HMNG hosted in Amazon cloud EC2

In this example I am going demonstrate how to find the IP ranges used by Aerohive HMNG which is hosted in Amazon cloud EC2 service. At the moment all HMNG instance for International (all customers out side of Americas) are hosted in the "eu-west-1" servers.


1) Download "AWS Tools for Windows PowerShell" from https://aws.amazon.com/powershell/

2) Install it in a Windows server, in this example I am using Windows 2008 R2.

3) Open Windows power shell and enter the command "Set-ExecutionPolicy RemoteSigned"



4) Import the module AWSPowerShell




5) Now you can search for the IP address range using command "Get-AWSPublicIpAddressRange"

In this example I want to filter the result by region (eu-west-1) and service (EC2)

Get-AWSPublicIpAddressRange -Region eu-west-1 -Service EC2






PS C:\>  Get-AWSPublicIpAddressRange -Region eu-west-1 -Service EC2




IpPrefix Region Service

-------- ------ -------

46.51.128.0/18 eu-west-1 EC2

46.51.192.0/20 eu-west-1 EC2

46.137.0.0/17 eu-west-1 EC2

46.137.128.0/18 eu-west-1 EC2

52.16.0.0/15 eu-west-1 EC2

52.18.0.0/15 eu-west-1 EC2

52.30.0.0/15 eu-west-1 EC2

52.48.0.0/14 eu-west-1 EC2

52.95.244.0/24 eu-west-1 EC2

52.95.255.64/28 eu-west-1 EC2

52.208.0.0/13 eu-west-1 EC2

54.72.0.0/15 eu-west-1 EC2

54.74.0.0/15 eu-west-1 EC2

54.76.0.0/15 eu-west-1 EC2

54.78.0.0/16 eu-west-1 EC2

54.154.0.0/16 eu-west-1 EC2

54.155.0.0/16 eu-west-1 EC2

54.170.0.0/15 eu-west-1 EC2

54.194.0.0/15 eu-west-1 EC2

54.216.0.0/15 eu-west-1 EC2

54.220.0.0/16 eu-west-1 EC2

54.228.0.0/16 eu-west-1 EC2

54.229.0.0/16 eu-west-1 EC2

54.246.0.0/16 eu-west-1 EC2

54.247.0.0/16 eu-west-1 EC2

79.125.0.0/17 eu-west-1 EC2

176.34.64.0/18 eu-west-1 EC2

176.34.128.0/17 eu-west-1 EC2

185.48.120.0/22 eu-west-1 EC2

Aerohive IPsec VPN - Phase 1 proposal mismatch with peer

2016-07-11 13:22:36:Phase 1 proposal mismatch with peer (172.16.1.5[500]->172.16.1.254[500])

I was setting up a VPN using Aerohive VPN gateway(CVG) and Aerohive BR200 branch router. and the VPN gateway was up but the VR200 was not forming the VPN,

1) The next step is to check the ike events in both VPN gateway and the BR200, SSH in, 

2) BR200 is saying that there is no response from the VPN GW

AH-3f9dc0#show vpn ike event (BR200)

2016-07-11 13:58:36:Phase 1 deleted(10.100.4.237[4500]->172.16.1.5[4500]) 
2016-07-11 13:58:37:Phase 1 started(10.100.4.237[500]->172.16.1.5[500]) 
2016-07-11 13:59:26:Peer not responding(10.100.4.237[500]->172.16.1.5[500]) 2016-07-11 13:59:26:Phase 1 deleted(10.100.4.237[500]->172.16.1.5[500]) 
2016-07-11 13:59:32:Phase 1 started(10.100.4.237[4500]->172.16.1.5[4500]) 
2016-07-11 14:00:21:Peer not responding(10.100.4.237[4500]->172.16.1.5[4500])

3) VPN gateway is saying that there is a Phase 1 proposal mismatch

CVG#show vpn ike even (VPN GW) 

2016-07-11 14:06:55:Phase 1 proposal mismatch with peer(172.16.1.5[4500]->172.16.1.254[4500])2016-07-11 14:06:55:Phase 1 deleted(172.16.1.5[4500]->172.16.1.254[4500])
2016-07-11 14:07:05:Phase 1 started(172.16.1.5[4500]->172.16.1.254[4500])
2016-07-11 14:07:05:Phase 1 proposal mismatch with peer(172.16.1.5[4500]->172.16.1.254[4500])2016-07-11 14:07:05:Phase 1 deleted(172.16.1.5[4500]->172.16.1.254[4500])
2016-07-11 14:07:15:Phase 1 started(172.16.1.5[500]->172.16.1.254[500])


4) Compare the phase 1 proposals in the VPN GW and BR200, and you see that 

the AES key length is not matching 

AH-3f9dc0#show vpn ike conf (BR200)
 /* prop_no=1, trns_no=1, rmconf=172.16.1.5[500] */
 phase1 proposal {
  lifetime time 84669 sec;
  lifetime bytes 0;
  dh_group modp1024;
  encryption_algorithm aes;
  encryption_algorithm length 256;

  hash_algorithm sha1;
  authentication_method hybrid_rsa_client;
 }

CVG#show vpn ike configuration (VPN Gateway)
/* prop_no=1, trns_no=1, rmconf=anonymous */
 phase1 proposal {
 lifetime time 86400 sec;
 lifetime bytes 0;
 dh_group modp1024;
 encryption_algorithm aes;
 encryption_algorithm length 128;

 hash_algorithm sha1;
 authentication_method hybrid_rsa_server;
 }







5) Goto the VPN configuration and change the AES key length to 128,





















6) Upload the configuration to the CVG(VPN gateway) and BR200,






7) VPN is UP 

Aerohive Active Directory intergration with Windows 2012 server

Configuring Windows 2012 RADIUS with Aerohive AP

Using Aerohive Certificate Authority

You can use HiveManager to generate certificates. These certificates are used by APs which are working as the RADIUS servers. In this example I will generated a root CA and generate a public/private key pair for the RADIUS server,

1) Generate a new CA root certificate, and self sign it,




2) Generate a certificates signing request for the certificates of the RADIUS server,



3) Get the certificate signed by the root CA we generated in step 1



4) In the certificates section you can see the 4 certificates. The Defaut_CA.pem certificate must be installed in clients --> check the blog post :  How to install certificate in clients 




5) Create a new RADIUS server instance and assign the certificates as below,




6) Assign this RADIUS server instance to an AP, the AP will act as the RADIUS server for the clients using the settings above.

How to add a certificate to trusted root certificates using group policy - Windows 2008 R2 / WPA2 Enterprise PEAP

I create a new set of RADIUS certificates for an Aerohive AP which is configured to be the RADIUS server. MacOS ad iOS clients prompt the users to accept the new certificate but Windows does not. There are two way to get around this,

1) Install the root CA certificate the local machine and select the folder trusted root certificates,

Double clock on the certificate








2)  Add the CA certificate to the group policy