Wireless Access

last person joined: 21 hours ago 

Access network design for branch, remote, outdoor, and campus locations with HPE Aruba Networking access points and mobility controllers.
Back to discussions
Expand all | Collapse all

VPN IPSec and NAT on a 3200 controller

This thread has been viewed 0 times

  • 1.  VPN IPSec and NAT on a 3200 controller

    Posted Jun 19, 2014 03:00 PM

    Hi guys, 

    i´m really stuck on trying to reach all my vlans on my 3200 controller via VPN Ipsec. Hope to get some help here.

     

    My configuration is this:

    controller ip :172.16.0.254

    vlan 10 192.168.0.0

    vlan 20 10.1.99.0

     

    IPSEC pool: 192.168.0.240-254 

    Role: default vpn role. ( i removed the allow all and added the src-nat: user any any src-nat)

    I connect and get 192.168.0.x adress. Router adress 172.16.0.254

    I am trying to reach the 10.1.99.0 network but can´t.  

     

    Appreciate some help, i´m kinda of new to this.

     

    Thanks!

     


    #3200


  • 2.  RE: VPN IPSec and NAT on a 3200 controller

    Posted Jun 19, 2014 03:27 PM

    Just to clarify, you're trying to VPN from a device to the controller, correct? Your VPN client says you're connected, but yet you cannot reach the 10.1.99.0 network once connected?



  • 3.  RE: VPN IPSec and NAT on a 3200 controller

    Posted Jun 19, 2014 03:33 PM

    Yes that is correct



  • 4.  RE: VPN IPSec and NAT on a 3200 controller

    Posted Jun 19, 2014 03:50 PM

    Check your vpn user role to make sure that your first ACL is "any any src-nat <pool>". If you haven't already, you'll need to create a source nat pool that includes an IP address on your controller that your VPN users will be NAT'd by.

     

    I don't recall if this is absolutely necessary, but I also included a "permit any any" AFTER the src-nat ACL. Working fine for me.



  • 5.  RE: VPN IPSec and NAT on a 3200 controller

    Posted Jun 19, 2014 05:05 PM

    My first ACL is any any src-nat .I made a nat pool :

    Start IP Address 192.168.0.240

    end ip 192.168.0.254
    Destination NAT IP Address 10.1.99.1

     

    Then added the permit any any, but not working.

    Is the Nat pool correctly set up? 

    Should i select the "Used by VPN" also? 

     

    Permit any any is at the end.



  • 6.  RE: VPN IPSec and NAT on a 3200 controller

    Posted Jun 19, 2014 05:46 PM

    Close, but the NAT pool actually just needs to be a single IP address. In other words, the starting & ending IP should be the same IP on the controller that you want traffic to be NAT'd out of. Also, the destination IP should be the same single IP.

     

    I'd like to better understand why the nat pool has to be configured like that, but I do know that it works.



  • 7.  RE: VPN IPSec and NAT on a 3200 controller

    Posted Jun 19, 2014 06:07 PM

    Huh..so i have to put starting,ending and dest to nat adress to 10.1.99.1?

     



  • 8.  RE: VPN IPSec and NAT on a 3200 controller

    Posted Jun 19, 2014 06:14 PM

    Yes. That will probably be your egress interface IP address.



  • 9.  RE: VPN IPSec and NAT on a 3200 controller

    Posted Jun 19, 2014 06:23 PM

    Doesnt work. I tried also selecting the "used by vpn" option, but same results



  • 10.  RE: VPN IPSec and NAT on a 3200 controller

    Posted Jun 20, 2014 07:40 AM

    Have you tried to enable source nat on the VPN settings?

     

    aos-vpn-nat.jpg



  • 11.  RE: VPN IPSec and NAT on a 3200 controller

    Posted Jun 20, 2014 09:33 AM

    Yes, that button isnt doing anything. Reading some earlier posts on the forum states that the button is legacy, and soure nat is now done via roles configuration. When i check the button and press apply,it says "no changes made" 



  • 12.  RE: VPN IPSec and NAT on a 3200 controller

    Posted Jun 20, 2014 11:33 AM

    Once connected, are you able to ping any devices in the 172.16.0.0 or 192.168.0.0 networks or is it ONLY devices in the 192.168.0.0 network that aren't reachable? Any others? Routing setup correctly? 

     

    I would watch "show datapath session" output while testing to see if there are any obvious firewall or connectivity issues going on. Filter for your source IP.



  • 13.  RE: VPN IPSec and NAT on a 3200 controller

    Posted Jun 20, 2014 12:09 PM

     

    @Clayman wrote:

    Once connected, are you able to ping any devices in the 172.16.0.0 or 192.168.0.0 networks or is it ONLY devices in the 192.168.0.0 network that aren't reachable? Any others? Routing setup correctly? 

     

    I would watch "show datapath session" output while testing to see if there are any obvious firewall or connectivity issues going on. Filter for your source IP.

    I can ping the ip of the controller 172.16.0.254, thats the only device on that vlan. i can ping anything on 192.168.0.0 also.  Not sure what u mean about routing, i have not setup any routing.



  • 14.  RE: VPN IPSec and NAT on a 3200 controller

    Posted Jun 20, 2014 02:27 PM
    @akki wrote:

     

    @Clayman wrote:

    Once connected, are you able to ping any devices in the 172.16.0.0 or 192.168.0.0 networks or is it ONLY devices in the 192.168.0.0 network that aren't reachable? Any others? Routing setup correctly? 

     

    I would watch "show datapath session" output while testing to see if there are any obvious firewall or connectivity issues going on. Filter for your source IP.

    I can ping the ip of the controller 172.16.0.254, thats the only device on that vlan. i can ping anything on 192.168.0.0 also.  Not sure what u mean about routing, i have not setup any routing.

    OK, if the gateway for the 10.1.99.0 network is on the controller, make sure that "Enable inter-vlan routing" is checked on both VLANs (192.168.0.0 & 10.1.99.0) other wise clients on those two networks will not be able to communicate with eachother. However, if you've got an upstream L3 device (router) doing the routing then no need to mess with that.

     

    Also, if you remove VPN from the equation & just connect a device to 192.168.0.0 (wired or wireless) can it reach 10.1.99.0? If so, this isn't a VPN issue at all, but rather a routing or firewall problem most likely.



  • 15.  RE: VPN IPSec and NAT on a 3200 controller

    Posted Jun 20, 2014 02:47 PM
    @Clayman wrote:
    @akki wrote:

     

    @Clayman wrote:

    Once connected, are you able to ping any devices in the 172.16.0.0 or 192.168.0.0 networks or is it ONLY devices in the 192.168.0.0 network that aren't reachable? Any others? Routing setup correctly? 

     

    I would watch "show datapath session" output while testing to see if there are any obvious firewall or connectivity issues going on. Filter for your source IP.

    I can ping the ip of the controller 172.16.0.254, thats the only device on that vlan. i can ping anything on 192.168.0.0 also.  Not sure what u mean about routing, i have not setup any routing.

    OK, if the gateway for the 10.1.99.0 network is on the controller, make sure that "Enable inter-vlan routing" is checked on both VLANs (192.168.0.0 & 10.1.99.0) other wise clients on those two networks will not be able to communicate with eachother. However, if you've got an upstream L3 device (router) doing the routing then no need to mess with that.

     

    Also, if you remove VPN from the equation & just connect a device to 192.168.0.0 (wired or wireless) can it reach 10.1.99.0? If so, this isn't a VPN issue at all, but rather a routing or firewall problem most likely.

    Inter vlan-routing is on on both networks. When im onsite i can ping the 10.1.99.0 network and devices from 192.168.0.0 network.



  • 16.  RE: VPN IPSec and NAT on a 3200 controller

    Posted Jun 23, 2014 10:49 AM

    Probably going to need to see the output of "show datapath session" while troubleshooting this.



  • 17.  RE: VPN IPSec and NAT on a 3200 controller

    Posted Jun 23, 2014 12:56 PM

    I spoke with the Aruba support, and comparing to a working setup on a controller, the only difference is the subnet, they say.

    On a working controller im running 10.0.0.0 and 10.1.99.0 (working). And on this controller im running 192.168.0.0  and 10.1.99.0 (not working) This shurely must be a bug?



  • 18.  RE: VPN IPSec and NAT on a 3200 controller

    Posted Jun 20, 2014 02:28 PM

    Update: I changed the controller ip to 10.1.99.1. connecting now i get 192.168.0.242 ip, with gateway 10.1.99.1. I can ping anything on the 192.168.0.0 network. On the 10.1.99.0 i can only ping the 10.1.99.1, but nothing else



  • 19.  RE: VPN IPSec and NAT on a 3200 controller

    Posted Jun 20, 2014 11:48 AM
    @akki wrote:

     

    My configuration is this:

    controller ip :172.16.0.254

    vlan 10 192.168.0.0

    vlan 20 10.1.99.0

     

    IPSEC pool: 192.168.0.240-254 

     

     

    akki....

     

    Does your controller have an IP on VLAN 10 (which is the same subnet as the pool).    Have you tried giving it an IP and enabling src-nat on the VLAN level for VLAN 10?



  • 20.  RE: VPN IPSec and NAT on a 3200 controller

    Posted Jun 20, 2014 11:55 AM
    @clembo wrote:
    @akki wrote:

     

    My configuration is this:

    controller ip :172.16.0.254

    vlan 10 192.168.0.0

    vlan 20 10.1.99.0

     

    IPSEC pool: 192.168.0.240-254 

     

     

    akki....

     

    Does your controller have an IP on VLAN 10 (which is the same subnet as the pool).    Have you tried giving it an IP and enabling src-nat on the VLAN level for VLAN 10?

    Yes, the controller has an ip of 192.168.0.1 on Vlan 10. Source nat is also enabled on that vlan.