Supported Vpn Protocols; Configuring A Tunnel From An Iap To A Mobility Controller - Aruba IAP-335 User Manual

Supported VPN Protocols

Instant supports the following VPN protocols for remote access:
Table 49: VPN Protocols
VPN Protocol
Aruba IPsec
Layer-2 (L2)
GRE
L2TPv3

Configuring a Tunnel from an IAP to a Mobility Controller

IAP supports the configuration of tunneling protocols such as Generic Routing Encapsulation (GRE), IPsec, and
L2TPv3. This section describes the procedure for configuring VPN host settings on an IAP to enable
communication with a controller in a remote location:
Configuring an IPsec Tunnel on page 230
l
Configuring an L2-GRE Tunnel on page 231
l
Configuring an L2TPv3 Tunnel on page 234
l
229 | VPN Configuration
Description
IPsec is a protocol suite that secures IP communications by authenticating and encrypting each IP
packet of a communication session.
You can configure an IPsec tunnel to ensure that the data flow between the networks is
encrypted. However, you can configure a split-tunnel to encrypt only the corporate traffic.
When IPsec is configured, ensure that you add the IAP MAC addresses to the whitelist database
stored on the controller or an external server. IPsec supports Local, L2, and L3 modes of IAP-VPN
operations.
NOTE: The IAPs support IPsec only with Aruba controllers.
Generic Routing Encapsulation (GRE) is a tunnel protocol for encapsulating multicast, broadcast,
and L2 packets between a GRE-capable device and an endpoint. IAPs support the configuration of
L2 GRE (Ethernet over GRE) tunnel with an Aruba controller to encapsulate the packets sent and
received by the IAP.
You can use the GRE configuration for L2 deployments when there is no encryption requirement
between the IAP and controller for client traffic.
IAPs support two types of GRE configuration:
Manual GRE—The manual GRE configuration sends unencrypted client traffic with an
l
additional GRE header and does not support failover. When manual GRE is configured on the
IAP, ensure that the GRE tunnel settings are enabled on the controller.
Aruba GRE—With Aruba GRE, no configuration on the controller is required except for adding
l
the IAP MAC addresses to the whitelist database stored on the controller or an external
server. Aruba GRE reduces manual configuration when Per-AP tunnel configuration is
required and supports failover between two GRE endpoints.
NOTE: IAPs support manual and Aruba GRE configuration only for L2 mode of operations. Aruba
GRE configuration is supported only on Aruba controllers.
The Layer 2 Tunneling Protocol version 3 (L2TPv3) feature allows the IAP to act as an L2TP Access
Concentrator (LAC) and tunnel all wireless client's L2 traffic from the IAP to L2TP Network Server
(LNS). In a Centralized, L2 model, the VLAN on the corporate side is extended to remote branch
sites. Wireless clients associated with an IAP gets the IP address from the DHCP server running
on LNS. For this, the IAP has to transparently allow DHCP transactions through the L2TPv3 tunnel.
Aruba Instant 6.5.0.0-4.3.0.0 | User Guide