Wireless Access

Frequent Contributor I

Need some help in trying to understand VIA connection profile.



I'm trying to setup VIA for a demo, but I'm having a hard time understanding the network end of things & I'm reaching out to the community to see if anyone can help set me straight.  


The demo is on an M3 running  


I've already installed the temporary licenses & I'm ready to begin configuring profiles to use for VIA VPN however I'd like to get a bit more information to (hopefully) better my understanding before proceeding.  


Here are my initial configs.  The via-test-conn-profile has yet to be established.  I'm currently using the default, but I've yet to actually test it.  The only thing I've tested is via web-auth, i.e. I can reach https://<Controller IP>/via/, authenticate, & be presented w/ a VIA download link. 

aaa authentication via connection-profile via-test-conn-profile

controller addr ??? internal-ip ??? desc "via-test-on-test-ctrl"

no auto-login

auth-profile via-test-auth-profile

no auto-upgrade

tunnel address netmask 


ikev2-policy 100

no windows-credentials


ikev2-auth eap-mschapv2

no save-passwords

no domain-pre-connect


no validate-server-cert



aaa authentication via auth-profile via-test-auth-profile

default-role vpn-test

desc "Test VIA Auth Profile"

max-authentication-failures 5

server-group cppm4



user-role vpn-test

clone default-via-role

pool l2tp vpn-test

via "via-test-conn-profile"

access-list session via-test-acl 



ip local pool vpn-test


ip access-list session via-test-acl
any any any permit



I understand from the 6.1 Users Guide that...


The contorller address should be the public IP address users will connect to.   At the moment, my controller's IP isn't publicly rechable, so I'll only be able to test this from certain networks.  


The internal IP Address is described as "...the IP Address of any of the VLAN interface IP addresses belongs to this controller."   I think part of my problem is the grammer used here.  What isn't apparent is if this is the VLAN where authenticated VIA users end up?  


The other bit that's confusing me is the tunnel address?  The Users Guide describes it as, "A list of network destination (IP address and netmask) that the VIA client will tunnel through the controller. All other network destinations will be reachable directly by the VIA client."  I don't fully understand this?  


I read on another post (http://community.arubanetworks.com/t5/Unified-Wired-Wireless-Access/VIA-Questions/td-p/53716/highlight/true) that if the l2tp pool I defined is on the same network as the defined VLAN then all should be good & if it isn't, I need to add a src-nat rule.  


At present, my l2tp pool is an local /24.  I'm assuming the controller will assing clients IP addresses as needed.  Besides needing to add a src-nat rule to my ACL, whatelse would I need to do to make clients assigned in this local IP pool be able to reach a specific network configured on the controller?  Specify a tunneled address?  Add a static route?  ?  ?  ?  


For simplicity, I guess I should try to use already defined VLANs. 


Any help or recommendations would be appreciated.  









Guru Elite

Re: Need some help in trying to understand VIA connection profile.

A word of advice.  Read chapter 6 of the IKE Validated Reference Design Here:  http://www.arubanetworks.com/vrd/VIAAppNote/wwhelp/wwhimpl/js/html/wwhelp.htm to check that all of your profiles are set.


Also, use IKEv1 (not IKEv2) initially, because IKEv2 has some special requirements.


The controller addr should be the public address of the controller your client is connecting to.  This will be downloaded when they get their profile.  The internal-ip is the ip address that the client will check to see if it should even launch a VPN tunnel or not.  This is the private ip address of the controller that the client will attempt to reach first, and if it can connect to it, it will not launch a VPN session.


The local VPN pool can be either:


1) routable addressing where the pool will give out addresses from a subnet/vlan that exists on the controller.  You do not need the src-nat statement at the end of the user role.  The controller will automatically answer ARPs for any user that is in the pool to accept and route traffic for that client.


2) non-routable addressing, where it gives out ip addresses that are not routable in your network.  With non-routable addressing, you need to have a source-nat statement on the end of the user role, OR your infrastructure needs a route for the subnet supplied by the VPN pool.  If traffic for that special subnet is routed to the controller, the controller will answer for any client currently connected in the pool.


The "default-via-role" is the user role that users get placed into by default, and is the one to be modified to put the "any any any src-nat" at the end of.  The "default-via-role" should also be configured with a l2tp pool, which decides which vpn pool of addresses your via client draws ip addresses from.


If you turn on split tunneling, the tunnel address and netmask specify what traffic will be tunneled through the client to your infrastructure.  All other traffic is bridged to the client's network locally by the client.


Hopefully this gives you enough to start with...





*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.3 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Frequent Contributor I

Re: Need some help in trying to understand VIA connection profile.



Thank you very much.  Your responses have helped me better understand configuration to the point where I was able to create the needed profiles & their hiearchy.   

cjoseph wrote:

A word of advice.  Read chapter 6 of the IKE Validated Reference Design Here:  http://www.arubanetworks.com/vrd/VIAAppNote/wwhelp/wwhimpl/js/html/wwhelp.htm to check that all of your profiles are set.


Also, use IKEv1 (not IKEv2) initially, because IKEv2 has some special requirements.


I've not yet switched to IKEv1 but I'll think about doing so since I think it may be limiting my ability to download a profile or initiate the session.  


I'll take a look at the troubleshooting information to get more information.  


I have other questions, however I think I'll sit down w/ my SE to try & hash out the configs & integreation w/ CPPM.  


Thanks for your response, 


Search Airheads
Showing results for 
Search instead for 
Did you mean: