Controllerless Networks

Hello! in this guide ill teach you how to build a VPN tunnel from your IAP Cluster to the wireless controller

Prerequisites: you need a controller on 6.2 .x version!

 

There are many modes in which you can build this tunnel but expecifically ill teach you how to build a vpn tunnel to the controller on local network Nated by VC

 

First let see the config on the IAP

 

Lets go to VPN option on the IAP

 

 

You select IPSEC and on the primary host you put the ip address of the controller which should have a port mapping to your controller with a public ip address with the ipsec ports

 

then click next

 

 

 

Here you add the networks that you want to reach on your  central site, the default gateway would be the public ip address of the controller.

 

Click finish

 

Now go to more again and go to DHCP Server

add a new scope with a ramdom vlan, with a network of your preference.  When you fniish click ok

 

Now lets go to the SSID creation

Create a new network

 

There you put network assigned, and you put static and put the random vlan you created before, then you can set whatever you need on the other paramehters and click finish.

 

We are done on the Instant APs

 

 

Now on the controller side

 

You need to add the mac address of the IAP on your controller like this

(Aruba3400) #local-userdb-ap add mac-address 00:11:22:33:44:55 ap-group test

 

Or you can add it on the gui on the remote APS whitelist

 

After that you need to create a vpn pool like this

(Aruba3400) # ip local pool "rapngpool" <startip> <endip>

 

You can do it also by gui on vpn services.

 

Take in mind that the range you put in there should be a routable range that exist on the controller. for example  in my case for this demostration i used this vpn range

 

Becauase i got a interface vlan like this

 

Which as you see that range is routable in my controller(not sure if you guys get my point?)

 

 

Then you need to create a IAP role like this

(Aruba3400) (config) #ip access-list session iaprole

(Aruba3400) (config-sess-iaprole)#any host <radius-server-ip> any src-nat (Aruba3400) (config-sess-iaprole)#any any any permit

(Aruba3400) (config-sess-iaprole)#!

(Aruba3400) (config) #user-role iaprole

(Aruba3400) (config-role) #session-acl iaprole

(Aruba3400) (config-role) #

(Aruba3400) (config) #aaa authentication vpn default-iap

(Aruba3400) (VPN Authentication Profile "default-iap") #server-group default

(Aruba3400) (VPN Authentication Profile "default-iap") #default-role iaprole

(Aruba3400) (VPN Authentication Profile "default-iap") #!

(Aruba3400) (config) #

 

Now if you got many address pools like me for many different things like this

 

then you will need to select the correct one on the iap role like this

 

You go to the iaprole on access control and look for the l2tp pool and select the correct one, in my case is vpn liek this

 

After this you are done!

 

you can check if the vpn is up by doing show iap table

And you should see your vpn up in there...

 

Anyways i hope this help you guys

 

Cheers

Carlos

 

[Mod note: edited title for readability]

This is a great overview.  I would also add that folks understand all the DHCP (L2,L3,Local) depending on your scenario.  The one in the post above is basically a local DHCP server and ALL client traffic is NAT'ed out of the virtual controller.  It really depends on the scenario.  

 

For L2 extension like our traditional RAPs, it would be L2,Centralized

 

For a L3 extension which should be used for remote teleworkers or branch offices, please review and consider L3,Distributed.  It is what I recommend almost 100% of the time.  

thanks Seth

Ill try making a tutorial forhte L3 deployment another day

 

Cheers

Carlos

Can I make a suggestion that you post this to the Aruba Solution Exchange??

Great guide NightShade1.  

 

Take a look at the solution, https://ase.arubanetworks.com/solution/name/iap_vpn/, on Solution Exchange.  This solution helps configure IAP VPN to Mobility Controller either over distributed L2 or distributed L3.  I just added a link on the solution to this thread as an additional reference point for other users.

Excellent link thank you very much!

 

Cheers

Carlos

Did you just made that tutorial? hahaha it just got like 10 mins there :)

It's actually been around since August but it shows when the solution was last modified, which was just recently to add a link to this thread.  

 

Carlos,

 

I followed your turtorial, and I'm still having some issues.

 

I do have a unique setup that may differ from normal production environments.

 

Using ArubaOS 6.3.1.2

Instant 6.3.1.2-4.0.0.3

 

I'm trying to make this function in a test environment without the availability of public IP facing the internet.  So all IP interfaces are private.  This could add some issue itself.

 

I do have a router/firewall in between the IAP and the controller, on the recommendation that I could have a route to the controller in addition to the VPN tunnel.  This could cause two paths which could interfere my testing.

 

First issue is getting the VPN connected.  I do not see the the vpn in the "show iap table"

However, the VPN shows "up" in the Instant UI.  

I also see the IAP in the AOS Monitor tab > Clients > (two entries, one for the inner and one for the outer IP)  

 

Behavior seen is the VPN status on the IAP goes up and down.  The inner IP address changes each time it does this.

I can't access any of my controller VLANs that I have set up in the route section for the VPN on the IAP.

 

Any suggestions?

 

Regards,

Colin

 

 

 

Hello Collin King

If you cannnot see the tunnel up on show iap table then the tunnel is not up...

 

Can you show me some kind of network diagram? to see what you are doing in your lab?

 

Cheers

Carlos

 

Carlos,

 

Update to my last post:

 

I can ping the internal interfaces on my controller which I'm assuming is through the VPN, since the TOR I show in the diagram cannot route to the other VLANs.  The only way I could ping is if I was on the controller itself.  (I fixed a netmask setting"

However, like you mentioned, the vpn does not show up in the "show iap table", so somethin gis not 100% working.

It still shows as "up" in the IAP GUI.

 

Attached is the setup.  

 

Thanks,

Colin

 

 

 

If it true that you can ping to the internal ip of the controller then it should be okay....
let me try to reproduce this with the same firmwares.... To see if for some reason it does not show in the show iap table

cheers
carlos

Carlos,

 

Any luck in reproducing the issue on your end?  

 

I changed my setup slightly, just swapped the firewall and TOR switch i showed in the diagram.  So now it goes IAP >TOR > Firewall >controller

 

Still have the exact same behavior.  

 

I'm probbaly going to have to open a case with Aruba Support.   If you do get the time to try this out, I'd still be interested in your results.

 

Thanks,

Colin 

 

Sorry i have been really busy at work... ill try this weekend!

 

Cheers

Carlos

Well i just did it again with 6.3 on controller and 6.3.1.2-4.0.0.2_41506 on the instant

 

It works just fine

Just that i notice that the show iap table command is no more!

 

You can check with show crypto ipsec sa

 

(Office_Alternetworks) #show  crypto ipsec sa

 
IPSEC SA (V2) Active Session Information
-----------------------------------
Initiator IP     Responder IP     SPI(IN/OUT)        Flags Start Time        Inner IP
------------     ------------     ----------------   ----- ---------------   --------
172.16.2.30      172.16.3.221     1d540400/763fa300  UT2   Feb  9 19:22:07   172.16.2.30      
172.16.3.254     172.16.3.221     c8479e00/6b5bf00   UT2   Feb  9 18:55:45   172.16.3.254     
190.218.207.8    172.16.3.221     75894400/72c53700  UT2   Feb  9 19:23:17   172.16.3.124     

Flags: T = Tunnel Mode; E = Transport Mode; U = UDP Encap
       L = L2TP Tunnel; N = Nortel Client; C = Client; 2 = IKEv2

Total IPSEC SAs: 3

(Office_Alternetworks) #

 the  190.218.207.8 is my home ip

 

you can also check this:

you should be able to see the iap role in the user table

 

Office_Alternetworks) #show user-table 

Users
-----
    IP              MAC            Name              Role           Age(d:h:m)  Auth  VPN link       AP name            Roaming   Essid/Bssid/Phy                    Profile                 Forward mode  Type   Host Name
----------     ------------       ------             ----           ----------  ----  --------       -------            -------   ---------------                    -------                 ------------  ----   ---------
190.218.205.8  00:00:00:00:00:00                     logon          00:00:18    VPN                  N/A                                                                                     tunnel               
172.29.0.8     00:24:2c:9a:68:5a                     authenticated  50:03:55                         AP_93H_Datacenter  Wireless  Alternetworks/6c:f3:7f:c8:39:e0/g  Alternetworks-aaa_prof  tunnel        Win 7  
172.16.3.124   00:00:00:00:00:00  00:0b:86:8f:6a:1a  iaprole        00:00:10    VPN   190.218.207.8  N/A                                                             default-iap             tunnel               

User Entries: 3/3
 Curr/**bleep** Alloc:5/2065 Free:17/2060 Dyn:22 AllocErr:0 FreeErr:0

(Office_Alternetworks) #

 The client that got the iaprole is my instant AP that is doing the vpn tunnel to the office.

 

i really dont know why you dont see this on your deployment... :( it working here just fine... and i get all the output i expecting... im not missing anything...

 

Cheers

Carlos

Ah yeah they also changed how you added a remote whiteist on the 6.3 now the commmand is

(Office_Alternetworks) #whitelist-db rap add mac-address 00:0b:86:8f:6a:1a ap-group iaprole

good review though... now i know the new commands in 6.3 :) 

 

Cheers

Carlos

Carlos,

 

Thanks for the quick response. 

 

I don't see any issues with my setup, except for the lack of anything showing up in the "show iap table"

I checked the 6.3 documents.  Both the user guide and cli guide show that this command is supported.  In fact, 6.3 adds to the command and now has a "show iap table long"

 

I do see some intermittent chaning of the inner IP address from the dhcp pool. 

In your opinon, is this normal? 

To me if the ip changes, then that would signify a VPN failure and it gets reestablished again on the next ip address in the range.  If so, then my VPN tunnel may not be stable.

 

My "show user-table" and "show crypto ipsec sa" are showing similar information to yours. 

 

I'll continue with my testing assuming that the VPN is up and running.  I'll also follwoing up with Aruba Support to see if I can't get to the bottom of the "show iap table"  issue.

 

Regards,

Colin