Controllerless Networks

last person joined: 2 days ago 

Instant Mode - the controllerless Wi-Fi solution that's easy to set up, is loaded with security and smarts, and won't break your budget
Back to discussions
Expand all | Collapse all

RAP-109 VPN Tunnel Routing Issues

This thread has been viewed 2 times

  • 1.  RAP-109 VPN Tunnel Routing Issues

    Posted Mar 06, 2013 08:53 PM
    We've just installed a RAP-109 that tunnels back to a 650 controller.

    No problem with the tunnel. Came up with no issues, but we can't seem to route to the corporate network no matter what we do.

    Has anyone else deployed these yet? Any assistance with this would be greatly appreciated.


  • 2.  RE: RAP-109 VPN Tunnel Routing Issues

    Posted Mar 06, 2013 09:05 PM

    - Are the users wired or wireless?

    - If wireless, is the virtual AP setup as tunnel, split-tunnel, or bridge?

    - Are they getting an IP on the proper VLAN?

    - What does the user role look like for the connected client (run show rights nameofrole)

     

     



  • 3.  RE: RAP-109 VPN Tunnel Routing Issues

    Posted Mar 06, 2013 09:14 PM
    This is an Instant RAP AP. so the AP tunnels to the controller.
    You setup the Instant AP as normal. SSIDs, etc. then you configure VPN setting to connect to the controller.


    Totally different setup than traditional RAPs.


  • 4.  RE: RAP-109 VPN Tunnel Routing Issues

    Posted Mar 06, 2013 11:03 PM

    Thanks for the clarification; I didn't notice this was an Instant doing VPN from the original post.

     

    The two keys for routing corporate traffic are:

    1) Adding the corporate networks as routes in the VPN configuration, and ensuring you put the proper "gateway" for the route (the controller's IP usually works)

    2) Making sure you have your client networking setup correctly.  If you are not NAT'ing the traffic, the corporate side needs to know how to send the traffic back to the remote/VPN site (again the controller's IP on the corproate side would likely be the next hop).  If you are NAT'ing, the traffic should pass/route properly.

     

    Can you confirm your routes and DHCP configuration for the VPN?

     

     



  • 5.  RE: RAP-109 VPN Tunnel Routing Issues

    Posted Mar 07, 2013 08:28 AM

    What we WANT to do is use a local DHCP server (not the VC) at the remote location and use the VPN tunnel to send and receive traffic from corporate, but we haven't been able to get this to work at all.

     

    What we've done is configure the internal DHCP on the VPN portion of the Instant. And we've added one route (so far) to the corp network with the controller IP as the gateway.

     

    So far, all we can do is access the controller UI. No other addresses on the corp network are accessable. There's a step I'm missing, but I don't know what it is.



  • 6.  RE: RAP-109 VPN Tunnel Routing Issues

    Posted Mar 12, 2013 01:38 AM
    Turns out the client didn't have their Checkpoint guy add a route to the remote site. Now that's in and and traffic can route to us. However, we are still having issues routing to the corp network. TAC said to create a VLAN interface on the controller for the remote network and use that as the gateway, which didn't make sense to me, and didn't work anyways.

    Wound up pulling a RAP-5 we had laying around and setup the new office with that instead so I could fly out for AirHeads! RMA'ing the 109. Guess ill try the new when I get back.


  • 7.  RE: RAP-109 VPN Tunnel Routing Issues

    Posted Mar 17, 2013 07:16 PM

    Hey, Clembo. Good seeing you at AirHeads!

     

    Well, I'm back and still have to get this VPN working properly. 

     

    1) Adding the corporate networks as routes in the VPN configuration, and ensuring you put the proper "gateway" for the route (the controller's IP usually works)

     

    (Yep, Corp Network, Corp Mask, Corp Controller as gateway.)

     

    2) Making sure you have your client networking setup correctly.  If you are not NAT'ing the traffic, the corporate side needs to know how to send the traffic back to the remote/VPN site (again the controller's IP on the corproate side would likely be the next hop).  If you are NAT'ing, the traffic should pass/route properly.

     

    (Tried "LOCAL" which NATs, tried both Dist modes, none work to route traffic, the route is configured in their Checkpoint to route all traffic to the remote network to the controller's IP. Tracert on a corp-side confirms that where it's seding the traffic.)

     

    Can you confirm your routes and DHCP configuration for the VPN?

     

    [Corp Network] [Corp Mask] [Corp Controller as gateway]

     

    Any thoughts?



  • 8.  RE: RAP-109 VPN Tunnel Routing Issues

    Posted Apr 19, 2013 04:04 PM

    Ed,

     

    Have you had any progress on this?

     

    I am running into the same issue here. We have an IAP cluster at a site and want to use the VPN tunnel from the VC to the corporate network to access auth servers and other resources.

     

    We can get the tunnel up which I can see on the corp controller by issuing the command "show IAP table". We can ping the controller from the VC but nothing else on the corporate side.

     

    I spent a couple of hours with TAC and their reply to me was that only the clients should be able to access the corp subnet and that the VC would not be able to. So in essence they are telling me that if I need the VC to authenticate clients to the NPS server on the corporate subnet I will need to establish a separate VPN tunnel using a VPN firewall at the remote site to the corp VPN firewall. However, they were also unable to enable the clients to reach the corporate network.

     

    Hope you have had some luck in progressing with this configuration.