Controllerless Networks

I am trying to setup an L2 Centralized IAP VPN configuration and running into issues. 

 

I have the IAP with a IPSec Tunnel and the tunnel is up. I can see the SA active session in show crytpo isakmp sa.

 

I created a generic PSK network for testing and connect to it, but the DHCP Discover never gets answered. 

I mapped the DHCP server as a VLAN on the controller. 

 

I feel like I'm missing a step on the controller to tell it to utilize the VLAN as part of the tunnel but I'm not finding this in the VRD.

 

Thanks for any help!

 

I will advise you to take a look in the documentation.

 

https://www.arubanetworks.com/techdocs/Instant_83_WebHelp/Content/Instant_UG/IAP_VPN/IAP_VPN_Support.htm

 

Make sure you use the same VLAN ID within the SSID/DHCP profile configuration and the controller side. So the VLAN specified in the IAP is the VLAN where the device is placed into.

Thanks for that document, it is exactly what I was looking for to setup. 

 

However, I've gone through it and still have the same issue. 

 

Users
-----
IP MAC Name Role Age(d:h:m) Auth VPN link AP name Roaming Essid/Bssid/Phy Profile Forward mode Type Host Name User Type
---------- ------------ ------ ---- ---------- ---- -------- ------- ------- --------------- ------- ------------ ---- --------- ---------
172.16.10.80 00:00:00:00:00:00 20:a6:cd:cf:e8:e2 default-vpn-role 02:23:41 VPN 10.18.250.74 N/A default-iap tunnel WIRELESS

 

I did notice within the document to create a role and have done that, but it appears my IAP is still using the default-vpn-role. I feel like this is only necessary for the RADIUS src-nat piece, though. Right now I'm just trying to get it working with PSK. 

 

Thanks for the help

In the past you could change the user roles for IAP-VPN. Today this is only possible if you have the VPN license.

Does this mean for my scenario, L2 Centralized with central RADIUS I need that license? 

No, but if you need to assign different user roles to the IAP-VPN user than you need a license

I don't believe I will, but since it still isn't working I'm confused where the gap is.

Okay, I found that I needed to add the mac address to the trusted branch db. I didn't see that in the documentation as it only seemed to mention adding to the whitelist. 

 

I now see the IAP when I do show iap detailed-table. 

It shows that the Status is up with Primary, Centralized and Bridged(L2) flags. However, still cannot connect as a client. DHCP and Arp do not respond. 

Do you see the devices with the command "show station-table". Please also use the following commands to see if the device is connected and placed in the correct network.

show user-table mac
show datapath bridge table

Is the IAP VLAN (configured within the IAP SSID configured) available at the controller?

Here is the output for show user-table 

Users
-----
IP MAC Name Role Age(d:h:m) Auth VPN link AP name Roaming Essid/Bssid/Phy Profile Forward mode Type Host Name User Type
---------- ------------ ------ ---- ---------- ---- -------- ------- ------- --------------- ------- ------------ ---- --------- ---------
172.16.10.80 00:00:00:00:00:00 20:a6:cd:cf:e8:e2 default-vpn-role 03:05:18 VPN 10.18.250.74 N/A default-iap tunnel WIRELESS
10.18.250.74 00:00:00:00:00:00 logon 03:05:18 VPN N/A tunnel WIRELESS

 

I'm confused by that logon role entry, and I do not see my laptop mac.

 

There was nothing in datapath bridge table for my mac either.

 

The VLAN is available on the controller and is also used for local wireless. Do I need to change this and have a separate VLAN?

I had seen some issues in the past with the IAP VPN when placing users in the same VLAN as 'normal' CAP users. After separating the CAP and IAP users the issues was fixed. Could you try this?
The users only appear in the user table if they will have an IP address.
Because the user is also not in the bridge table there is an issue with the datapath.

 I tried a different VLAN (one that is used for RAP wired connections). Still no change. 

Looking over things, I'm wondering if the issue is related to the routing profile. I have it set to 0.0.0.0/0.0.0.0 with a next hop of the controller's IP for the VPN. Is this correct? I'm not quite seeing in the document how to set the route for all traffic to go over the tunnel.

A routing profile is not needed because it’s a L2 iap VPN.

Could you share a tech support from the IAP and controller? You can send me a PM

Hi,

 

Do you have some news, I've got the same problem too :( 

make sure you are using Aruba IPsec as the VPN protocol,

Also check the routing profile settings in this technote.

 

https://community.arubanetworks.com/t5/Controllerless-Networks/IAP-VPN-Centralised-L2-and-Distributed-L3-with-3G-4G-pre-emption/td-p/528954