ArubaOS 8 - Quickly configuring the Controller for Virtual Intranet Access (VIA)
01-15-2019 05:51 AM - edited 01-15-2019 03:09 PM
This post is about configuring the Controller for Virtual Intranet Access.
Included information on 'where in GUI' and the equivalent 'CLI command'.
Aruba7005 Controller in standalone mode running ArubaOS Version 188.8.131.52.VIA configuration requires that you first configure VPN settings and then configure VIA settings.
Enable VPN Server Module
You must install the PEFV license to configure and assign user roles.
Mobility Controller -> Configuration -> System -> Licensing -> Inventory -> Click on + sign and add the license.
license add <key>
Decide IKE Policy
ArubaOS support both IKEv1 and IKEv2 protocol to establish IPsec tunnels.
We will be using predefined default IKE policies "20", which has the following parameters, to establish the VPN tunnel.
Diffie Hellman Group: 2
Configuration -> Services -> VPN -> IKEv1 -> IKEv1 Policies
Configuring the shared secrets
Configurations -> Services -> VPN -> Shared Secrets -> IKE Shared Secrets
crypto isakmp key ****** address 0.0.0.0 netmask 0.0.0.0
Define the pool from which the clients are assigned addresses.
Configuration -> Services -> VPN -> General VPN -> Address Pool
ip local pool via 184.108.40.206 220.127.116.11
Define the DNS Server
Configure the IP addresses of the DNS servers that is pushed to the VPN client.
Configurations -> Services -> VPN -> General VPN -> Primary DNS Server
vpdn group l2tp client configuration dns 18.104.22.168
NAT traversal allows systems behind NATs to request and establish secure connections on demand.
Configurations -> Services -> VPN -> General VPN -> Enable NAT-T
crypto isakmp udpencap-behind-natdevice
Create an authentication profile to authenticate users against a server group.
Configuration -> Authentication -> L3 Authentication -> VIA Authentication -> Add a new profile and set the server group to 'internal'.
aaa authentication via auth-profile "kapvia"
Adding local users:
Goto Configuration -> Authentication -> Auth Servers
In 'Server Groups' -> Internal.
Click on 'Internal' and goto 'Users'
Add local user here.
local-userdb add username kapil password ****** role default-via-role
VIA Web Authentication
Create the VIA web authentication which is a list of VIA authentication profiles.
The web authentication list allows the users to login to the VIA download page <https://<controller IP address>/via> to download the VIA client.
Configuration -> Authentication -> L3 Authentication -> VIA Web Authentication -> Add a new web auth profile
aaa authentication via web-auth "default"
auth-profile "kapvia" position 1
VIA Connection profile
Create the VIA connection profile which is a collection of all the configurations required by a VIA client to establish a secure IPsec connection to the controller.
A VIA connection profile is always associated to a user role, and all users that belong to that role use the configured settings.
When a user authenticates successfully to a server in an authentication profile, the VIA client downloads the VIA connection profile that is attached to the role assigned to that user.
Configuration -> Authentication -> L3 Authentication -> VIA Connection -> Add a new connection profile
- Define the Server address
- Link the VIA Auth profile
- Mention the internal address that needs to be accessed by VIA
- Enable split tunneling
- Select the IKE Policy
aaa authentication via connection-profile "kap-con-via"
server addr "59.167.xx.xxx" internal-ip 10.10.101.1 desc "Aruba7005-Gateway" position 1
auth-profile "kapvia" position 1
tunnel address 192.168.17.0 netmask 255.255.255.0
tunnel address 192.168.26.0 netmask 255.255.255.0
tunnel address 172.30.30.0 netmask 255.255.255.0
tunnel address 172.30.29.0 netmask 255.255.255.0
tunnel address 172.30.20.0 netmask 255.255.255.0
tunnel address 10.10.100.0 netmask 255.255.255.0
tunnel address 10.10.101.0 netmask 255.255.255.0
Create VIA roles:
Link the Address Pools and Connection Profile
Configuration -> Roles & Policies -> Roles -> Modify the 'default-via-role'
pool l2tp via
access-list session global-sacl
access-list session apprf-default-via-role-sacl
access-list session allowall
access-list session v6-allowall
show crypto isakmp sa
show crypto ipsec sa
Hope you find this post useful. Please post your feedback.
Re: ArubaOS 8 - Quickly configuring the Controller for Virtual Intranet Access (VIA)
05-01-2019 01:12 PM
Not at all. You would have to have a any any any src-nat ACL at the bottom of the client firewall policies, is all for that client to be able to pass traffic.
*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars