Wireless Access

Hello, guys!
Sorry, I'm a newbie with Aruba, but I'm fighting with this several days, and need some help with my questions.
I have an Aruba7010 controller (x2, redundancy, 6.5.4.6, connected directly to the Internet), Apple MBP 2014 (Mac OS 10.13.4), and an urgent need to build VPN that would allow password-based access for two users. What have I done:
1. tried this manual - http://www.arubanetworks.com/techdocs/ArubaOS_6_5_4_X_Web_Help/Web_Help_Index.htm#ArubaFrameStyles/VPNs/Configuring_a_VPN_for_Cl.htm%3FTocPath%3DArubaOS%2520User%2520Guide%2520Topics%7CVirtual%2520Private%2520Networks%2520(VPNs)%7C_____6
It is not working as expected. I connect to the server, but I cant ping it, I can't ping any VLANs (even my pool). The connection just established and nothing happens. Maybe some firewall issue? Where should I go to check?
2. Tried to deploy VIA. Stopped on download client. Can't login to download page due "Valid Service Contract Missing" :-) . Maybe someone knows how to bypass this error?

1.  You need to have an "any any any source-nat" entry at the end of your user role to get traffic past the controller.

2.  You would need a PEF-V license for the controller to work with the Via Client:  http://www.arubanetworks.com/assets/ds/DS_VIA.pdf

Thanks!

1. Tried with it and without. No difference. The controller is not accessible. Maybe I created the wrong config? Controller IP 172.16.0.254, VLAN 1 (that I need) 192.168.40.0/24. Created several VPN.

a) in the same VLAN, vpn pool 192.168.40.3-40.6, NAT pool was from 192.168.40.3 -192.168.40.6 to 192.168.40.1 (found somewhere on this site). Not helped.

b) other VLAN,  vpn pool 192.168.70.3-70.6/29, nat pool 192.168.70.3-70.6 to 192.168.40.1 or 172.16.0.254, or to 192.168.70.1. Same bad result. 

2. Yes, I have this license. I can't login to support site. :-) 

When you get a pool ip address, can you type "show datapath session table <ip address that you got>" to see if traffic is being blocked or permitted.