Wireless Access

Reply
Highlighted
Guru Elite

Re: VIA Questions

You need to allow l2tp VPN ports in on the firewall, period.  It will not work without those.

 


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
ArubaOS Consolidated Release Notes
Aruba VIA ASE Solution - Configure VIA VPN
Highlighted

Re: VIA Questions

Collin

those ports are already forwarded

 

Ports Needed for L2TP VPN

- TCP Port 1701
- UDP Port 500

 

Both already forwarded

----------------------------------------------------
Project engineer
Highlighted

Re: VIA Questions

Also

Ports Needed for IPSec/ESP

- UDP Port 500

 

Already forwarded

 

 

----------------------------------------------------
Project engineer
Highlighted

Re: VIA Questions

Second... i had UDP 1701 instead of TCP 1701

Will come back later with the results, qheni can get access to one mac or ipad...

 

As for my config it is okay? or do im missing something?

----------------------------------------------------
Project engineer
Highlighted
Guru Elite

Re: VIA Questions

You need to create a custom ip service to allow protocol 50 and 51   http://www.scribd.com/doc/87331764/259/Configuring-custom-services


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.5 User Guide
InstantOS 8.5 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
ArubaOS Consolidated Release Notes
Aruba VIA ASE Solution - Configure VIA VPN
Highlighted

Re: VIA Questions

REally appreciate your effort in helping Collin!

But that is for the firewall rules not for the  port forwarding...

 

Okay i got it setup like this.

 

I got what Fortigate calls a Virtual IP  okay?

Now with this virtual ip i map a public ip address with a internal ip addresss

Addicional i can port forward so, so for example i have have an ip address let say 190.2.5.6 and have different services to different internal servers using it for example

 

190.2.5.6 mapped to 192.168.1.5 on port 80

190.2.4.6 mapped to 192.168.1.6 on port 10443

 

Now for the Remote AP i got this

190.2.4.6 mapped to 192.168.1.20(wireless controller ip udp 4500

190.2.4.6 mapped to 192.168.1.20 udp 69

 

For VIA

190.2.4.6 mapped to 192.168.1.20 tcp 443

190.2.4.6 mapped to 192.168.1.20 tcp 1701

190.2.4.6 mapped to 192.168.1.20 tcp 1723

190.2.4.6 mapped to 192.168.1.20 udp 500

 

Now thats what i got there...

When you creating a port forward there is no option of IP you just can select TCP or UDP protocols nothing else...

 

About the custom ports thats for the firewall rule not for the virtual IP which map one external IP with an internal ip

 

in the Firewall Rule i got a virtual ip like this

 

PORT WAN!

ALL

 

PORT INTERNAL

Virtual IP GROUP

 

PORTS Allowed

ANY

 

 

For now i got the ports as ANY becasue im testing...

So in the firewall rule im allowing all the ports... if i were blocking ports yes i can create the ip protocol with the custom port for the firewall rule but thats just for the firewall rule not for the virtual ip which port forwards.

 

You got what i mean?

 

 

When i testted i had udp 1701 im hoping thats the mistake... which i just changed to tcp 1701... and as you said it wont work if i dont have the L2tp ports forwarded... and i didnt because i had udp 1701 udp  instead of tcp  1701 which is the port i need!

The sad thing is that its sunday and i dont own an ipad :P so  icant test! :(

 

----------------------------------------------------
Project engineer
Highlighted

Re: VIA Questions

As far i undersntad what i got should be enough i mean  ESP is a  protocol, not port... so i cannot forward it.   But i need to let it in, in the firewall rules that protocol. and im doing as i got ALL ports(for the testing) the i will close all that, after i got everything working...

I dont worry too much about it as its just a remote LAB we got in our office not production network or anything...

----------------------------------------------------
Project engineer
Highlighted

Re: VIA Questions

The TAC help me to figured the problem here is the resolution

Okay the problem is that on the vpn profile well i configured it we are okay there...

 

But you NEED for some reason in the via authentication profile you need to configure the default profile... if you use a via authentication profile that you configured by yourself... it doesnt work for ipads... but it do work for windows and androids....

 

Now you need to configure the via authentication profile the default one to make it work... otherwise it wont work...

 

I don tknow if thats a bug or if it should be configured that way.

 

Anyways now it works

 

Cheers

Carlos

----------------------------------------------------
Project engineer

View solution in original post

Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: