Configuring VPNCs for Microbranch Solution

For a successful Instant AP VPN Virtual Private Network. VPN enables secure access to a corporate network when located remotely. It enables a computer to send and receive data across shared or public networks as if it were directly connected to the private network, while benefiting from the functionality, security, and management policies of the private network. This is done by establishing a virtual point-to-point connection through the use of dedicated connections, encryption, or a combination of the two. termination on the SD-WAN Software-Defined Wide Area Network. SD-WAN is an application for applying SDN technology to WAN connections that connect enterprise networks across disparate geographical locations. Gateway, perform the following configuration tasks on the SD-WAN Wide Area Network. WAN is a telecommunications network or computer network that extends over a large geographical distance. Gateway.

Configuring Instant AP VPN Pool for Aruba Gateways

The VPN local pool is used to assign an IP Address to the Instant AP after successful Extended Authentication (XAuth Extended Authentication. XAuth provides a mechanism for requesting individual authentication information from the user, and a local user database or an external authentication server. It provides a method for storing the authentication information centrally in the local network.) VPN.

To configure the Instant AP VPN Pool, complete the following steps:

1. In the Aruba Central app, set the filter to a group that contains at least one Branch Gateway.

   The dashboard context for a group is displayed.

2. Under Manage, click Devices > Gateways.

   A list of gateways is displayed in the List view.

3. Click the Config icon.

   The gateway group configuration page is displayed.

4. If you are in the Basic Mode, click Advanced Mode to access the advanced configuration options.
5. Click VPN > General VPN.
6. Click + from the Address Pools table to open the Add New Address Pool section.
7. Enter the following information in the Add New Address Pool section to create a new address pool:
• Pool name—Name of the pool.
• Start address(ipv4)—The starting IPv4 address of the pool.
• End address(ipv4)—The ending IPv4 address of the pool.
8. Configure the following additional VPN parameters based on your requirements:
• VIA Source-nat—Enable this option if the IP addresses of VPN clients must be translated to access the network and select a NAT Network Address Translation. NAT is a method of remapping one IP address space into another by modifying network address information in Internet Protocol (IP) datagram packet headers while they are in transit across a traffic routing device. pool to be used for address translation from the NAT pool drop-down list .
• VIA SSL fallback—Enable this option to allow VIA Virtual Intranet Access. VIA provides secure remote network connectivity for Android, Apple iOS, Mac OS X, and Windows mobile devices and laptops. It automatically scans and selects the best secure connection to the corporate network. SSL Secure Sockets Layer. SSL is a computer networking protocol for securing connections between network application clients and servers over the Internet. fallback.
• Max concurrent VIA VPN sessions per user—Specify the maximum number of concurrent VIA VPN sessions allowed per user.
• IAP-VPN backward compatible—Enable this option to allow the Instant APs and Branch Gateways that run on AOS versions earlier than 8.4.x.x to use port 8089 for VPN VLAN Virtual Local Area Network. In computer networking, a single Layer 2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them through one or more routers; such a domain is referred to as a Virtual Local Area Network, Virtual LAN, or VLAN. subnet Subnet is the logical division of an IP network. registrations.
• VIA Primary DNS server—Specify the IP address of the Primary DNS Domain Name System. A DNS server functions as a phone book for the intranet and Internet users. It converts human-readable computer host names into IP addresses and IP addresses into host names. It stores several records for a domain name such as an address 'A' record, name server (NS), and mail exchanger (MX) records. The Address 'A' record is the most important record that is stored in a DNS server, because it provides the required IP address for a network peripheral or element. Server to be pushed to the VPN client.
• VIA Secondary DNS server—Specify the IP address of the Secondary DNS Server to be pushed to the VPN client.
• VIA Primary WINS server—Specify the IP address of the Primary WINS Server to be pushed to the VPN client.
• VIA Secondary WINS server—Specify the IP address of the Secondary WINS Server to be pushed to the VPN client.
9. Save the changes.

Authentication Servers

Instant APs identify themselves using the internal TPM Trusted Platform Module. TPM is an international standard for a secure cryptoprocessor, which is a dedicated microcontroller designed to secure hardware by integrating cryptographic keys into devices. certificate, which has the MAC Media Access Control. A MAC address is a unique identifier assigned to network interfaces for communications on a network. address as the CN Common Name. CN is the primary name used to identify a certificate. . The Microbranch solution can use the internal server or an external RADIUS Remote Authentication Dial-In User Service. An Industry-standard network access protocol for remote authentication. It allows authentication, authorization, and accounting of remote users who want to access network resources.  server with the database of all the Instant APs, so that the VPNCs accept the incoming connection from the Instant APs.

If you are using the internal server, see Configuring an Internal Server.

If you are using an external RADIUS server, see Configuring and Mapping External RADIUS Server.

Configuring an Internal Server

When you use the internal server for authenticating the Instant AP, the VPNC validates if the Instant AP is in the same user account with valid subscription assigned and automatically allowlists it.

To enable internal server authentication, complete the following steps:

1. In the Aruba Central app, set the filter to a group that contains at least one Branch Gateway.

   The dashboard context for a group is displayed.

2. Under Manage, click Devices > Gateways.

   A list of gateways is displayed in the List view.

3. Click the Config icon.

   The gateway group configuration page is displayed.

4. If you are in the Basic Mode, click Advanced Mode to access the advanced configuration options.
5. Click Security > L3 Authentication.
6. Select the default-iap profile under VPN Authentication.
7. In the default-iap profile, select internal from Server Group.
8. Save the changes.

Configuring and Mapping External RADIUS Server

To use an external RADIUS server for authentication, you must configure the server on the VPNC. To configure an external RADIUS server for authentication, see Configuring RADIUS Authentication Server on Aruba Gateways

Map the configured RADIUS server to the Instant AP VPN server group using the following steps:

1. In the Aruba Central app, use the filter to select a Group in which VPNCs are provisioned.
2. Under Manage, click Devices > Gateways and then click the Config icon to display the Gateway configuration dashboard.
3. If you are in the Basic Mode, click Advanced Mode to access the advanced configuration options.
4. Click Security > L3 Authentication.
5. Select the default-iap profile under VPN Authentication.
6. In the default-iap profile, select the configured RADIUS server from RADIUS Accounting Server Group.
7. Save the changes.

Redistributing Branch Subnets

The Microbranch solution provides support to learn branch subnets using the dynamic routing protocol. To redistribute the branch networks in L3 mode, complete the following steps:

1. In the Aruba Central app, use the filter to select a Group in which VPNCs are provisioned.
2. Under Manage, click Devices > Gateways and then click the Config icon to display the Gateway configuration dashboard.
3. If you are in the Basic Mode, click Advanced Mode to access the advanced configuration options.
4. Click Routing > OSPF.
5. Enable OSPF Open Shortest Path First. OSPF is a link-state routing protocol for IP networks. It uses a link-state routing algorithm and falls into the group of interior routing protocols that operates within a single Autonomous System (AS). for routing and configure the area to be used. For more information on configuring OSPF area and other parameters, see Advertising Routes Using OSPF.
6. Enable Redistribute overlay routes, and then specify a cost for the overlay routes. The cost set here applies only to the routes that are learnt from the Aruba Gateways.
7. Save the changes.
8. Click Interfaces > VLANs and select the uplink VLAN interface from the VLAN IDs table.
9. From the IPv4 tab, select Enable OSPF under Other Options and configure the OSPF area to be used.
10. Save the changes.