Controllerless Networks

Reply
Highlighted
Contributor I

IAP IPSEC VPN L2 Centralized - Unable to get DHCP

I am trying to setup an L2 Centralized IAP VPN configuration and running into issues. 

 

I have the IAP with a IPSec Tunnel and the tunnel is up. I can see the SA active session in show crytpo isakmp sa.

 

I created a generic PSK network for testing and connect to it, but the DHCP Discover never gets answered. 


I mapped the DHCP server as a VLAN on the controller. 

 

I feel like I'm missing a step on the controller to tell it to utilize the VLAN as part of the tunnel but I'm not finding this in the VRD.

 

Thanks for any help!

 

Super Contributor II

Re: IAP IPSEC VPN L2 Centralized - Unable to get DHCP

I will advise you to take a look in the documentation.

 

https://www.arubanetworks.com/techdocs/Instant_83_WebHelp/Content/Instant_UG/IAP_VPN/IAP_VPN_Support.htm

 

Make sure you use the same VLAN ID within the SSID/DHCP profile configuration and the controller side. So the VLAN specified in the IAP is the VLAN where the device is placed into.


Willem Bargeman ACMX#935 | ACCX #822

Please give me kudos if my post was useful!
If your issue is solved mark the post as solution!
Contributor I

Re: IAP IPSEC VPN L2 Centralized - Unable to get DHCP

Thanks for that document, it is exactly what I was looking for to setup. 

 

However, I've gone through it and still have the same issue. 

 

Users
-----
IP MAC Name Role Age(d:h:m) Auth VPN link AP name Roaming Essid/Bssid/Phy Profile Forward mode Type Host Name User Type
---------- ------------ ------ ---- ---------- ---- -------- ------- ------- --------------- ------- ------------ ---- --------- ---------
172.16.10.80 00:00:00:00:00:00 20:a6:cd:cf:e8:e2 default-vpn-role 02:23:41 VPN 10.18.250.74 N/A default-iap tunnel WIRELESS

 

I did notice within the document to create a role and have done that, but it appears my IAP is still using the default-vpn-role. I feel like this is only necessary for the RADIUS src-nat piece, though. Right now I'm just trying to get it working with PSK. 

 

Thanks for the help

Super Contributor II

Re: IAP IPSEC VPN L2 Centralized - Unable to get DHCP

In the past you could change the user roles for IAP-VPN. Today this is only possible if you have the VPN license.

Willem Bargeman ACMX#935 | ACCX #822

Please give me kudos if my post was useful!
If your issue is solved mark the post as solution!
Contributor I

Re: IAP IPSEC VPN L2 Centralized - Unable to get DHCP

Does this mean for my scenario, L2 Centralized with central RADIUS I need that license? 

Super Contributor II

Re: IAP IPSEC VPN L2 Centralized - Unable to get DHCP

No, but if you need to assign different user roles to the IAP-VPN user than you need a license

Willem Bargeman ACMX#935 | ACCX #822

Please give me kudos if my post was useful!
If your issue is solved mark the post as solution!
Contributor I

Re: IAP IPSEC VPN L2 Centralized - Unable to get DHCP

I don't believe I will, but since it still isn't working I'm confused where the gap is.

Contributor I

Re: IAP IPSEC VPN L2 Centralized - Unable to get DHCP

Okay, I found that I needed to add the mac address to the trusted branch db. I didn't see that in the documentation as it only seemed to mention adding to the whitelist. 

 

I now see the IAP when I do show iap detailed-table. 


It shows that the Status is up with Primary, Centralized and Bridged(L2) flags. However, still cannot connect as a client. DHCP and Arp do not respond. 

Super Contributor II

Re: IAP IPSEC VPN L2 Centralized - Unable to get DHCP

Do you see the devices with the command "show station-table". Please also use the following commands to see if the device is connected and placed in the correct network.

show user-table mac
show datapath bridge table

Is the IAP VLAN (configured within the IAP SSID configured) available at the controller?

Willem Bargeman ACMX#935 | ACCX #822

Please give me kudos if my post was useful!
If your issue is solved mark the post as solution!
Contributor I

Re: IAP IPSEC VPN L2 Centralized - Unable to get DHCP

Here is the output for show user-table 

Users
-----
IP MAC Name Role Age(d:h:m) Auth VPN link AP name Roaming Essid/Bssid/Phy Profile Forward mode Type Host Name User Type
---------- ------------ ------ ---- ---------- ---- -------- ------- ------- --------------- ------- ------------ ---- --------- ---------
172.16.10.80 00:00:00:00:00:00 20:a6:cd:cf:e8:e2 default-vpn-role 03:05:18 VPN 10.18.250.74 N/A default-iap tunnel WIRELESS
10.18.250.74 00:00:00:00:00:00 logon 03:05:18 VPN N/A tunnel WIRELESS

 

I'm confused by that logon role entry, and I do not see my laptop mac.

 

There was nothing in datapath bridge table for my mac either.

 

The VLAN is available on the controller and is also used for local wireless. Do I need to change this and have a separate VLAN?

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: