Wireless Access

last person joined: 15 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

VIA VPN to Multiple Controllers Based on Destination Subnet

This thread has been viewed 0 times

  • 1.  VIA VPN to Multiple Controllers Based on Destination Subnet

    Posted Mar 14, 2012 12:29 PM

    We haven't implemented VIA yet, so I'd like to confirm whether or not this configuration is possible or not. We have a user that will be using an iPad and would like the ability to VPN back to multiple locations to control local resources at those locations. There is an App running on the iPad that needs to connect to each destination via VPN. It is the same App connecting to multiple destinations. If each location had it's own 600-series controller with a static public IP at each location, could VIA determine, based on destination network, which controller to VPN to? if so, would this be done transparent to the user?

     

    In addition, we would like VIA to operate in split-tunnel so that all non-defined traffic just goes out the iPad's WIFI or 3G internet connection. Hopefully that makes sense. I know that VIA can do split-tunnel to a single VPN destination, my main concern is whether it can use multiple VPN destinations based on the destination subnet.

     

    Example:

    Destination 1: 192.168.1.0 /24   <---VPN----< VIA ----< iPad

    Destination 2: 172.16.10.2 /24   <---VPN----< VIA ----< iPad

    Destination 3: 192.168.50.0 /24   <---VPN----< VIA ----< iPad

     



  • 2.  RE: VIA VPN to Multiple Controllers Based on Destination Subnet
    Best Answer

    Posted Mar 14, 2012 12:51 PM

    VIA can't simultaneously form multiple connections to multiple controllers. VIA forms an IPsec to only one controller at any given time. A user can manually select which controller he wants to connect  but VIA won't start forming IPsec connections to multiple controllers based on the destination.

     

    However, since you have a 600 at each site with static IP you can connect VIA to one location and form IPsec tunnels between other controllers. So, VIA will connect to controller X and the Controller X will forward traffic to other controllers based on the destination (this might increase the bandwidth a little at controller X location). You can also load balance , where a set on users will connect to controller X by default and the another set of users connect to controller Y and the rest to controller Z and so on. This way not all users terminate at one controller at all the time. VIA also supports split-tunneling.

     

    Regards,

    Sathya



  • 3.  RE: VIA VPN to Multiple Controllers Based on Destination Subnet

    Posted Mar 14, 2012 02:15 PM

    Thanks, Sathya. That does help, but let me clarify our situation a little more. The iPad will NOT need to form multiple IPSEC tunnels simultaneously...only one at a time.

     

    Example: iPad needs to access resources at Destination A. VIA builds IPSEC tunnel automatically to Controller A. Then, iPad needs to access resources at Destination C. VIA builds new IPSEC tunnel to Controller C, thus disconnecting the original tunnel. Is that possible?



  • 4.  RE: VIA VPN to Multiple Controllers Based on Destination Subnet

    Posted Mar 14, 2012 02:46 PM

    No, that is not possible today.

     

    Regards,

    Sathya



  • 5.  RE: VIA VPN to Multiple Controllers Based on Destination Subnet

    Posted Mar 15, 2012 11:20 AM

    Thanks, Sathya. I think the tunnels between controllers is the best way to go.