02-04-2013 12:14 AM
I have configured a number of RAP's in different geographic locations.
They all share the same config (ie not copy-pasted, but by reference)
Remote wifi clients exit the tunnel in HQ and can access HQ resources (internet, RDP...) just fine.
Although the VAP's have Forwarding set to "split tunnel", remote clients that want to use remote resources come out of the tunnel in HQ and are routed back towards the remote site.
Thanks for any advice.
02-04-2013 03:07 AM
There are quite a few articles in the knowledgebase about configuring and diagnosing split tunnel problems. Please do a search and look at the results in knowledgebase. One article on configuration is here: https://arubanetworkskb.secure.force.com/pkb/articles/HowTo/R-541
Aruba Customer Engineering
Looking for an Answer? Search the Community Knowledge Base Here: Community Knowledge Base
02-05-2013 04:46 AM - edited 02-05-2013 04:49 AM
I got split tunneling to work. I have an aesthetics question remaining.
My network is a-typical in that remote sites live on a private mpls-vpn network ie they don't have a proper internet connection.
So I had to define 3 rules in the following sequence :
1. a dhcp permit rule
2. a " src-nat route " rule for all destinations local to the RAP
3. a fallthrough rule that 'permits' all remaining traffic over the ipsec tunnel toward HQ
Now for the question : I want to configure splittunneling for 13 sites with a minimum of configuration.
The "src-nat route" expects a "network alias", which means I have 13 separate policies to define, followed by 13 separate roles, 13 aaa profiles etc
Is it possible to replace the explicit "network alias" with a "reference" to the network where 'this' RAP happens to live, which would make that rule dynamic, and clean up the config.