Controllerless Networks

Hello! in this guide ill teach you how to build a VPN tunnel from your IAP Cluster to the wireless controller

Prerequisites: you need a controller on 6.2 .x version!

There are many modes in which you can build this tunnel but expecifically ill teach you how to build a vpn tunnel to the controller on local network Nated by VC

First let see the config on the IAP

Lets go to VPN option on the IAP

You select IPSEC and on the primary host you put the ip address of the controller which should have a port mapping to your controller with a public ip address with the ipsec ports

then click next

Here you add the networks that you want to reach on your  central site, the default gateway would be the public ip address of the controller.

Click finish

Now go to more again and go to DHCP Server

add a new scope with a ramdom vlan, with a network of your preference.  When you fniish click ok

Now lets go to the SSID creation

Create a new network

There you put network assigned, and you put static and put the random vlan you created before, then you can set whatever you need on the other paramehters and click finish.

We are done on the Instant APs

Now on the controller side

You need to add the mac address of the IAP on your controller like this

(Aruba3400) #local-userdb-ap add mac-address 00:11:22:33:44:55 ap-group test

Or you can add it on the gui on the remote APS whitelist

After that you need to create a vpn pool like this

(Aruba3400) # ip local pool "rapngpool" <startip> <endip>

You can do it also by gui on vpn services.

Take in mind that the range you put in there should be a routable range that exist on the controller. for example  in my case for this demostration i used this vpn range

Becauase i got a interface vlan like this

Which as you see that range is routable in my controller(not sure if you guys get my point?)

Then you need to create a IAP role like this

(Aruba3400) (config) #ip access-list session iaprole

(Aruba3400) (config-sess-iaprole)#any host <radius-server-ip> any src-nat (Aruba3400) (config-sess-iaprole)#any any any permit

(Aruba3400) (config-sess-iaprole)#!

(Aruba3400) (config) #user-role iaprole

(Aruba3400) (config-role) #session-acl iaprole

(Aruba3400) (config-role) #

(Aruba3400) (config) #aaa authentication vpn default-iap

(Aruba3400) (VPN Authentication Profile "default-iap") #server-group default

(Aruba3400) (VPN Authentication Profile "default-iap") #default-role iaprole

(Aruba3400) (VPN Authentication Profile "default-iap") #!

(Aruba3400) (config) #

Now if you got many address pools like me for many different things like this

then you will need to select the correct one on the iap role like this

You go to the iaprole on access control and look for the l2tp pool and select the correct one, in my case is vpn liek this

After this you are done!

you can check if the vpn is up by doing show iap table

And you should see your vpn up in there...

Anyways i hope this help you guys

Cheers

Carlos

[Mod note: edited title for readability]