Aruba Instant & Cloud Wi-Fi

Reply
Frequent Contributor I
Posts: 102
Registered: ‎06-17-2009

RAP-109 VPN Tunnel Routing Issues

We've just installed a RAP-109 that tunnels back to a 650 controller.

No problem with the tunnel. Came up with no issues, but we can't seem to route to the corporate network no matter what we do.

Has anyone else deployed these yet? Any assistance with this would be greatly appreciated.
EDDIE FORERO | @HeyEddie
Aruba
Posts: 1,643
Registered: ‎04-13-2009

Re: RAP-109 VPN Tunnel Routing Issues

- Are the users wired or wireless?

- If wireless, is the virtual AP setup as tunnel, split-tunnel, or bridge?

- Are they getting an IP on the proper VLAN?

- What does the user role look like for the connected client (run show rights nameofrole)

 

 

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Frequent Contributor I
Posts: 102
Registered: ‎06-17-2009

Re: RAP-109 VPN Tunnel Routing Issues

This is an Instant RAP AP. so the AP tunnels to the controller.
You setup the Instant AP as normal. SSIDs, etc. then you configure VPN setting to connect to the controller.


Totally different setup than traditional RAPs.
EDDIE FORERO | @HeyEddie
Aruba
Posts: 1,643
Registered: ‎04-13-2009

Re: RAP-109 VPN Tunnel Routing Issues

Thanks for the clarification; I didn't notice this was an Instant doing VPN from the original post.

 

The two keys for routing corporate traffic are:

1) Adding the corporate networks as routes in the VPN configuration, and ensuring you put the proper "gateway" for the route (the controller's IP usually works)

2) Making sure you have your client networking setup correctly.  If you are not NAT'ing the traffic, the corporate side needs to know how to send the traffic back to the remote/VPN site (again the controller's IP on the corproate side would likely be the next hop).  If you are NAT'ing, the traffic should pass/route properly.

 

Can you confirm your routes and DHCP configuration for the VPN?

 

 

------------------------------------------------
Systems Engineer, Northeast USA
ACCX | ACDX | ACMX

Frequent Contributor I
Posts: 102
Registered: ‎06-17-2009

Re: RAP-109 VPN Tunnel Routing Issues

[ Edited ]

What we WANT to do is use a local DHCP server (not the VC) at the remote location and use the VPN tunnel to send and receive traffic from corporate, but we haven't been able to get this to work at all.

 

What we've done is configure the internal DHCP on the VPN portion of the Instant. And we've added one route (so far) to the corp network with the controller IP as the gateway.

 

So far, all we can do is access the controller UI. No other addresses on the corp network are accessable. There's a step I'm missing, but I don't know what it is.

EDDIE FORERO | @HeyEddie
Frequent Contributor I
Posts: 102
Registered: ‎06-17-2009

Re: RAP-109 VPN Tunnel Routing Issues

Turns out the client didn't have their Checkpoint guy add a route to the remote site. Now that's in and and traffic can route to us. However, we are still having issues routing to the corp network. TAC said to create a VLAN interface on the controller for the remote network and use that as the gateway, which didn't make sense to me, and didn't work anyways.

Wound up pulling a RAP-5 we had laying around and setup the new office with that instead so I could fly out for AirHeads! RMA'ing the 109. Guess ill try the new when I get back.
EDDIE FORERO | @HeyEddie
Frequent Contributor I
Posts: 102
Registered: ‎06-17-2009

Re: RAP-109 VPN Tunnel Routing Issues

Hey, Clembo. Good seeing you at AirHeads!

 

Well, I'm back and still have to get this VPN working properly. 

 

1) Adding the corporate networks as routes in the VPN configuration, and ensuring you put the proper "gateway" for the route (the controller's IP usually works)

 

(Yep, Corp Network, Corp Mask, Corp Controller as gateway.)

 

2) Making sure you have your client networking setup correctly.  If you are not NAT'ing the traffic, the corporate side needs to know how to send the traffic back to the remote/VPN site (again the controller's IP on the corproate side would likely be the next hop).  If you are NAT'ing, the traffic should pass/route properly.

 

(Tried "LOCAL" which NATs, tried both Dist modes, none work to route traffic, the route is configured in their Checkpoint to route all traffic to the remote network to the controller's IP. Tracert on a corp-side confirms that where it's seding the traffic.)

 

Can you confirm your routes and DHCP configuration for the VPN?

 

[Corp Network] [Corp Mask] [Corp Controller as gateway]

 

Any thoughts?

EDDIE FORERO | @HeyEddie
Frequent Contributor I
Posts: 70
Registered: ‎04-03-2007

Re: RAP-109 VPN Tunnel Routing Issues

Ed,

 

Have you had any progress on this?

 

I am running into the same issue here. We have an IAP cluster at a site and want to use the VPN tunnel from the VC to the corporate network to access auth servers and other resources.

 

We can get the tunnel up which I can see on the corp controller by issuing the command "show IAP table". We can ping the controller from the VC but nothing else on the corporate side.

 

I spent a couple of hours with TAC and their reply to me was that only the clients should be able to access the corp subnet and that the VC would not be able to. So in essence they are telling me that if I need the VC to authenticate clients to the NPS server on the corporate subnet I will need to establish a separate VPN tunnel using a VPN firewall at the remote site to the corp VPN firewall. However, they were also unable to enable the clients to reach the corporate network.

 

Hope you have had some luck in progressing with this configuration.

Michael McNamee
Sr. Network Engineer - SecurEdge Networks
ACMP / ACDX / AWMP

http://www.securedgenetworks.com/secure-edge-networks-blog/
Search Airheads
Showing results for 
Search instead for 
Did you mean: