Building a VPN from a IAP Cluster to a Wireless Controller - Nov 2013

By Srynearson posted Mar 04, 2014 04:10 PM


Tutorial by: 

Hello! in this guide ill teach you how to build a VPN tunnel from your IAP Cluster to the wireless controller

Prerequisites: you need a controller on 6.2 .x version!


There are many modes in which you can build this tunnel but expecifically ill teach you how to build a vpn tunnel to the controller on local network Nated by VC


First let see the config on the IAP


Lets go to VPN option on the IAP




You select IPSEC and on the primary host you put the ip address of the controller which should have a port mapping to your controller with a public ip address with the ipsec ports


then click next





Here you add the networks that you want to reach on your  central site, the default gateway would be the public ip address of the controller.


Click finish


Now go to more again and go to DHCP Server


add a new scope with a ramdom vlan, with a network of your preference.  When you fniish click ok


Now lets go to the SSID creation

Create a new network



There you put network assigned, and you put static and put the random vlan you created before, then you can set whatever you need on the other paramehters and click finish.


We are done on the Instant APs



Now on the controller side


You need to add the mac address of the IAP on your controller like this

(Aruba3400) #local-userdb-ap add mac-address 00:11:22:33:44:55 ap-group test


Or you can add it on the gui on the remote APS whitelist


After that you need to create a vpn pool like this

(Aruba3400) # ip local pool "rapngpool" <startip> <endip>


You can do it also by gui on vpn services.


Take in mind that the range you put in there should be a routable range that exist on the controller. for example  in my case for this demostration i used this vpn range



Becauase i got a interface vlan like this



Which as you see that range is routable in my controller(not sure if you guys get my point?)



Then you need to create a IAP role like this

(Aruba3400) (config) #ip access-list session iaprole

(Aruba3400) (config-sess-iaprole)#any host <radius-server-ip> any src-nat (Aruba3400) (config-sess-iaprole)#any any any permit

(Aruba3400) (config-sess-iaprole)#!

(Aruba3400) (config) #user-role iaprole

(Aruba3400) (config-role) #session-acl iaprole

(Aruba3400) (config-role) #

(Aruba3400) (config) #aaa authentication vpn default-iap

(Aruba3400) (VPN Authentication Profile "default-iap") #server-group default

(Aruba3400) (VPN Authentication Profile "default-iap") #default-role iaprole

(Aruba3400) (VPN Authentication Profile "default-iap") #!

(Aruba3400) (config) #


Now if you got many address pools like me for many different things like this



then you will need to select the correct one on the iap role like this


You go to the iaprole on access control and look for the l2tp pool and select the correct one, in my case is vpn liek this



After this you are done!


you can check if the vpn is up by doing show iap table

And you should see your vpn up in there...


Anyways i hope this help you guys





[Mod note: edited title for readability]