Tutorial by: NightShade1
Hello! in this guide ill teach you how to build a VPN tunnel from your IAP Cluster to the wireless controller
Prerequisites: you need a controller on 6.2 .x version!
There are many modes in which you can build this tunnel but expecifically ill teach you how to build a vpn tunnel to the controller on local network Nated by VC
First let see the config on the IAP
Lets go to VPN option on the IAP
You select IPSEC and on the primary host you put the ip address of the controller which should have a port mapping to your controller with a public ip address with the ipsec ports
then click next
Here you add the networks that you want to reach on your central site, the default gateway would be the public ip address of the controller.
Now go to more again and go to DHCP Server
add a new scope with a ramdom vlan, with a network of your preference. When you fniish click ok
Now lets go to the SSID creation
Create a new network
There you put network assigned, and you put static and put the random vlan you created before, then you can set whatever you need on the other paramehters and click finish.
We are done on the Instant APs
Now on the controller side
You need to add the mac address of the IAP on your controller like this
(Aruba3400) #local-userdb-ap add mac-address 00:11:22:33:44:55 ap-group test
Or you can add it on the gui on the remote APS whitelist
After that you need to create a vpn pool like this
(Aruba3400) # ip local pool "rapngpool" <startip> <endip>
You can do it also by gui on vpn services.
Take in mind that the range you put in there should be a routable range that exist on the controller. for example in my case for this demostration i used this vpn range
Becauase i got a interface vlan like this
Which as you see that range is routable in my controller(not sure if you guys get my point?)
Then you need to create a IAP role like this
(Aruba3400) (config) #ip access-list session iaprole
(Aruba3400) (config-sess-iaprole)#any host <radius-server-ip> any src-nat (Aruba3400) (config-sess-iaprole)#any any any permit
(Aruba3400) (config) #user-role iaprole
(Aruba3400) (config-role) #session-acl iaprole
(Aruba3400) (config-role) #
(Aruba3400) (config) #aaa authentication vpn default-iap
(Aruba3400) (VPN Authentication Profile "default-iap") #server-group default
(Aruba3400) (VPN Authentication Profile "default-iap") #default-role iaprole
(Aruba3400) (VPN Authentication Profile "default-iap") #!
(Aruba3400) (config) #
Now if you got many address pools like me for many different things like this
then you will need to select the correct one on the iap role like this
You go to the iaprole on access control and look for the l2tp pool and select the correct one, in my case is vpn liek this
After this you are done!
you can check if the vpn is up by doing show iap table
And you should see your vpn up in there...
Anyways i hope this help you guys
[Mod note: edited title for readability]
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.