Create VPN Tunnel from IAP to Mobility Controller

By ckokstar posted Sep 17, 2014 05:26 PM


Create VPN Tunnel from IAP to Mobility Controller



Aruba Instant support building secure VPN connections to the head end Mobility Controller (MC). This allows wireless and wired users to access the corporate network's resources seamlessly. The traffic forwarding mode is determined by the selection of the station IP address assignment (VPN Mode).

IP allocation by the DHCP daemon in IAP is unique. User specified, the start and end IP address which could be a relatively large subnet, example This large subnet will be further subnet by the controller based on the client count specified by users in the IAP. This process is automatic and no configuration is required. The calculated networks range will then be sent back to the IAP once the VPN is established. The following VPN modes are supported:

  • Distributed L3
  • Distributed L2
  • Local *
  • Centralized L2 *

* Not available in this solution template, send feedback to us if you would like these additional options included.

Key features comparison between different VPN Modes


Platform Tested

Aruba Mobility Controller 3400 running AOS build 38660

IAP version (38733), (39086)


Configuration Notes

The first step in setting up an IAP VPN to the controller is to make sure the VPN tunnel is up and running. Once the VPN is up, proceed with the DHCP Server (VPM Mode) configuration followed by the SSID configuration. This solution template does not contain the configuration codes for creating an SSID. Use the Web UI to create the SSID. The only parameter that needs to match is the VLAN ID configured in the VPN Mode and the VLAN ID parameter in the SSID.

When defining the VPN networks in the IAP routing profile, the default gateway should be the controller switch IP. Use the "show controller-ip" command in the Mobility Controller (MC) to get the switch IP address.



In the case of distributed L2 VPN mode, the VLAN ID configured in the IAP must match the VLAN ID in the controller. In this mode, the network is extended from the data center to the branch network.



None (default-vpn-role is used and not editable)

PEFV (Role is editable)



[1] User Guide : Aruba Instant 3.4 User Guide

[2] [Tutorial] Building a VPN from an IAP Cluster to a Wireless Controller

1 view