Hi,
I'm trying to setup VIA for a demo, but I'm having a hard time understanding the network end of things & I'm reaching out to the community to see if anyone can help set me straight.
The demo is on an M3 running 6.1.3.7.
I've already installed the temporary licenses & I'm ready to begin configuring profiles to use for VIA VPN however I'd like to get a bit more information to (hopefully) better my understanding before proceeding.
Here are my initial configs. The via-test-conn-profile has yet to be established. I'm currently using the default, but I've yet to actually test it. The only thing I've tested is via web-auth, i.e. I can reach https://<Controller IP>/via/, authenticate, & be presented w/ a VIA download link.
aaa authentication via connection-profile via-test-conn-profile
controller addr ??? internal-ip ??? desc "via-test-on-test-ctrl"
no auto-login
auth-profile via-test-auth-profile
no auto-upgrade
tunnel address 192.168.0.0 netmask 255.255.0.0
split-tunneling
ikev2-policy 100
no windows-credentials
ikev2-proto
ikev2-auth eap-mschapv2
no save-passwords
no domain-pre-connect
client-netmask 255.255.255.0
no validate-server-cert
!
aaa authentication via auth-profile via-test-auth-profile
default-role vpn-test
desc "Test VIA Auth Profile"
max-authentication-failures 5
server-group cppm4
!
user-role vpn-test
clone default-via-role
pool l2tp vpn-test
via "via-test-conn-profile"
access-list session via-test-acl
!
ip local pool vpn-test 192.168.153.1 192.168.153.254
ip access-list session via-test-acl
any any any permit
!
I understand from the 6.1 Users Guide that...
The contorller address should be the public IP address users will connect to. At the moment, my controller's IP isn't publicly rechable, so I'll only be able to test this from certain networks.
The internal IP Address is described as "...the IP Address of any of the VLAN interface IP addresses belongs to this controller." I think part of my problem is the grammer used here. What isn't apparent is if this is the VLAN where authenticated VIA users end up?
The other bit that's confusing me is the tunnel address? The Users Guide describes it as, "A list of network destination (IP address and netmask) that the VIA client will tunnel through the controller. All other network destinations will be reachable directly by the VIA client." I don't fully understand this?
I read on another post (http://community.arubanetworks.com/t5/Unified-Wired-Wireless-Access/VIA-Questions/td-p/53716/highlight/true) that if the l2tp pool I defined is on the same network as the defined VLAN then all should be good & if it isn't, I need to add a src-nat rule.
At present, my l2tp pool is an local /24. I'm assuming the controller will assing clients IP addresses as needed. Besides needing to add a src-nat rule to my ACL, whatelse would I need to do to make clients assigned in this local IP pool be able to reach a specific network configured on the controller? Specify a tunneled address? Add a static route? ? ? ?
For simplicity, I guess I should try to use already defined VLANs.
Any help or recommendations would be appreciated.
TIA,
--Raf