Wireless Access

last person joined: 17 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

Need some help in trying to understand VIA connection profile.

This thread has been viewed 1 times

  • 1.  Need some help in trying to understand VIA connection profile.

    Posted Feb 28, 2014 04:00 PM

    Hi, 

     

    I'm trying to setup VIA for a demo, but I'm having a hard time understanding the network end of things & I'm reaching out to the community to see if anyone can help set me straight.  

     

    The demo is on an M3 running 6.1.3.7.  

     

    I've already installed the temporary licenses & I'm ready to begin configuring profiles to use for VIA VPN however I'd like to get a bit more information to (hopefully) better my understanding before proceeding.  

     

    Here are my initial configs.  The via-test-conn-profile has yet to be established.  I'm currently using the default, but I've yet to actually test it.  The only thing I've tested is via web-auth, i.e. I can reach https://<Controller IP>/via/, authenticate, & be presented w/ a VIA download link. 


    aaa authentication via connection-profile via-test-conn-profile

    controller addr ??? internal-ip ??? desc "via-test-on-test-ctrl"

    no auto-login

    auth-profile via-test-auth-profile

    no auto-upgrade

    tunnel address 192.168.0.0 netmask 255.255.0.0 

    split-tunneling

    ikev2-policy 100

    no windows-credentials

    ikev2-proto

    ikev2-auth eap-mschapv2

    no save-passwords

    no domain-pre-connect

    client-netmask 255.255.255.0

    no validate-server-cert

    !

     

    aaa authentication via auth-profile via-test-auth-profile

    default-role vpn-test

    desc "Test VIA Auth Profile"

    max-authentication-failures 5

    server-group cppm4

    !

     

    user-role vpn-test

    clone default-via-role

    pool l2tp vpn-test

    via "via-test-conn-profile"

    access-list session via-test-acl 

    !

     

    ip local pool vpn-test 192.168.153.1 192.168.153.254

     

    ip access-list session via-test-acl
    any any any permit
    !

     

     

    I understand from the 6.1 Users Guide that...

     

    The contorller address should be the public IP address users will connect to.   At the moment, my controller's IP isn't publicly rechable, so I'll only be able to test this from certain networks.  

     

    The internal IP Address is described as "...the IP Address of any of the VLAN interface IP addresses belongs to this controller."   I think part of my problem is the grammer used here.  What isn't apparent is if this is the VLAN where authenticated VIA users end up?  

     

    The other bit that's confusing me is the tunnel address?  The Users Guide describes it as, "A list of network destination (IP address and netmask) that the VIA client will tunnel through the controller. All other network destinations will be reachable directly by the VIA client."  I don't fully understand this?  

     

    I read on another post (http://community.arubanetworks.com/t5/Unified-Wired-Wireless-Access/VIA-Questions/td-p/53716/highlight/true) that if the l2tp pool I defined is on the same network as the defined VLAN then all should be good & if it isn't, I need to add a src-nat rule.  

     

    At present, my l2tp pool is an local /24.  I'm assuming the controller will assing clients IP addresses as needed.  Besides needing to add a src-nat rule to my ACL, whatelse would I need to do to make clients assigned in this local IP pool be able to reach a specific network configured on the controller?  Specify a tunneled address?  Add a static route?  ?  ?  ?  

     

    For simplicity, I guess I should try to use already defined VLANs. 

     

    Any help or recommendations would be appreciated.  

     

    TIA, 

     

    --Raf

     

     

     

     



  • 2.  RE: Need some help in trying to understand VIA connection profile.

    EMPLOYEE
    Posted Mar 01, 2014 09:45 AM

    A word of advice.  Read chapter 6 of the IKE Validated Reference Design Here:  http://www.arubanetworks.com/vrd/VIAAppNote/wwhelp/wwhimpl/js/html/wwhelp.htm to check that all of your profiles are set.

     

    Also, use IKEv1 (not IKEv2) initially, because IKEv2 has some special requirements.

     

    The controller addr should be the public address of the controller your client is connecting to.  This will be downloaded when they get their profile.  The internal-ip is the ip address that the client will check to see if it should even launch a VPN tunnel or not.  This is the private ip address of the controller that the client will attempt to reach first, and if it can connect to it, it will not launch a VPN session.

     

    The local VPN pool can be either:

     

    1) routable addressing where the pool will give out addresses from a subnet/vlan that exists on the controller.  You do not need the src-nat statement at the end of the user role.  The controller will automatically answer ARPs for any user that is in the pool to accept and route traffic for that client.

     

    2) non-routable addressing, where it gives out ip addresses that are not routable in your network.  With non-routable addressing, you need to have a source-nat statement on the end of the user role, OR your infrastructure needs a route for the subnet supplied by the VPN pool.  If traffic for that special subnet is routed to the controller, the controller will answer for any client currently connected in the pool.

     

    The "default-via-role" is the user role that users get placed into by default, and is the one to be modified to put the "any any any src-nat" at the end of.  The "default-via-role" should also be configured with a l2tp pool, which decides which vpn pool of addresses your via client draws ip addresses from.

     

    If you turn on split tunneling, the tunnel address and netmask specify what traffic will be tunneled through the client to your infrastructure.  All other traffic is bridged to the client's network locally by the client.

     

    Hopefully this gives you enough to start with...

     

     

     

     



  • 3.  RE: Need some help in trying to understand VIA connection profile.

    Posted Mar 05, 2014 09:19 AM

    cjoseph, 

     

    Thank you very much.  Your responses have helped me better understand configuration to the point where I was able to create the needed profiles & their hiearchy.   

    @cjoseph wrote:

    A word of advice.  Read chapter 6 of the IKE Validated Reference Design Here:  http://www.arubanetworks.com/vrd/VIAAppNote/wwhelp/wwhimpl/js/html/wwhelp.htm to check that all of your profiles are set.

     

    Also, use IKEv1 (not IKEv2) initially, because IKEv2 has some special requirements.

      

    I've not yet switched to IKEv1 but I'll think about doing so since I think it may be limiting my ability to download a profile or initiate the session.  

     

    I'll take a look at the troubleshooting information to get more information.  

     

    I have other questions, however I think I'll sit down w/ my SE to try & hash out the configs & integreation w/ CPPM.  

     

    Thanks for your response,