• All Files
Aruba Central Online Help
You are here: Home > Managing Access Points > Configuring Access Points > Instant AP VPN Overview

IAP VPN Overview

As Instant Access Point (IAP) use a virtual controller architecture, the IAP network does not require a physical controller to provide the configured WLANWireless Local Area Network. WLAN is a 802.11 standards-based LAN that the users access through a wireless connection. services. However, a physical controller is required for terminating VPNVirtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. tunnels from the IAP networks at branch locations or data centers, where the Aruba controller acts as a VPN Concentrator.

When the VPN is configured, the IAP acting as the virtual controller creates a VPN tunnel to Aruba Mobility Controller in your corporate office. The controller acts as a VPN endpoint and does not supply the IAP with any configuration.

The VPN features are recommended for:

  • Enterprises with many branches that do not have a dedicated VPN connection to the corporate office.
  • Branch offices that require multiple APs.
  • Individuals working from home, connecting to the VPN.

Supported VPN Protocols

IAPs support the following VPN protocols for remote access:

Table 1: VPN Protocols

VPN Protocol

Description

Aruba IPsec

IPsecInternet Protocol security. IPsec is a protocol suite for secure IP communications that authenticates and encrypts each IP packet in a communication session. is a protocol suite that secures IP communications by authenticating and encrypting each IP packet of a communication session.

You can configure an IPsec tunnel to ensure that to ensure that the data flow between the networks is encrypted. However, you can configure a split-tunnel to encrypt only the corporate traffic.

When IPsec is configured, ensure that you add the IAP MACMedia Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. addresses to the allowlist database stored on the controller or an external server. IPsec supports Local, L2, and L3 modes of IAP-VPN operations.

NOTE: The IAPs support IPsec only with Aruba Controllers.

Layer-2 (L2) GRE

GREGeneric Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. is a tunnel protocol for encapsulating multicast, broadcast, and L2 packets between a GRE-capable device and an endpoint. IAPs support the configuration of L2 GRE (EthernetEthernet is a network protocol for data transmission over LAN. over GRE) tunnel with an Aruba Controller to encapsulate the packets sent and received by the IAP.

You can use the GRE configuration for L2 deployments when there is no encryption requirement between the Instant AP and controller for client traffic.

IAPs support two types of GRE configuration:

  • Manual GRE—The manual GRE configuration sends unencrypted client traffic with an additional GRE header and does not support failover. When manual GRE is configured on the IAP, ensure that the GRE tunnel settings are enabled on the controller.
  • Aruba GRE—With Aruba GRE, no configuration on the controller is required except for adding the IAP MAC addresses to the allowlist database stored on the controller or an external server. Aruba GRE reduces manual configuration when Per-AP Tunnel configuration is required and supports failover between two GRE endpoints.

IAPs support manual and Aruba GRE configuration only for L2 mode of operations. Aruba GRE configuration is supported only with Aruba Controllers.

L2TP

The L2TPLayer-2 Tunneling Protocol. L2TP is a networking protocol used by the ISPs to enable VPN operations. version 3 feature allows IAP to act as L2TP Access Concentrator (LAC) and tunnel all wireless clients L2 traffic from AP to LNSL2TP Network Server. LNS is an equipment that connects to a carrier and handles the sessions from broadband lines. It is also used for dial-up and mobile links. LNS handles authentication and routing of the IP addresses. It also handles the negotiation of the link with the equipment and establishes a session.. In a centralized L2 model, the VLANVirtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. on the corporate side are extended to remote branch sites. Wireless clients associated with IAP gets the IP address from the DHCPDynamic Host Configuration Protocol. A network protocol that enables a server to automatically assign an IP address to an IP-enabled device from a defined range of numbers configured for a given network.  server running on LNS. For this, AP has to transparently allow DHCP transactions through the L2TPv3 tunnel.