Simple VPN setup guide - anywhere?

  • 1
  • Question
  • Updated 2 years ago
  • Answered
I'm looking for very simple instructions/guide on how to set up a Layer 2 VPN between an AP330 and a BR200-WP. Is there anything out there? I can't find any documentation which refers to this on its own. Perhaps I'm just not asking the correct question? I do mean basic, from the very beginning - an empty Hive and two devices.
Photo of D Caunt

D Caunt

  • 3 Posts
  • 0 Reply Likes

Posted 5 years ago

  • 1
Photo of Abby S

Abby S, Employee

  • 94 Posts
  • 47 Reply Likes
Hello,

You cannot set up an L2 VPN between an AP330 and a BR200-WP. The BR200 can set up a tunnel between itself and a CVG, or an AP330 can setup an L2 tunnel between itself and another AP. Do you have a second AP?
Photo of Brian Powers

Brian Powers, Champ

  • 396 Posts
  • 92 Reply Likes
So a BR100 can, but the BR200 cannot? Or is it specific to the BR200-WP?

http://community.aerohive.com/aerohiv...
Photo of D Caunt

D Caunt

  • 3 Posts
  • 0 Reply Likes
A was told by an Aerohive employee here in the UK (I called head office) that I could use a BR200 and a CVG but that the AP330 was able to replace the role of a CVG for a single tunnel. So that's what I bought.
Photo of Abby S

Abby S, Employee

  • 94 Posts
  • 47 Reply Likes
hi I'm sorry for the confusion, but we appear to not all be saying the same thing. the AP330 has 2 modes of operation: as an AP, or as a router. In AP mode, the AP330 can create Layer 2 tunnels between other APs or devices in AP mode and itself. In router mode, the only tunnel terminator we support is the CVG. Now to add one more layer of confusion, the BR100 can actually support both AP mode and router mode as well, and in AP mode it can initiate an L2 VPN tunnel to terminate on an AP330 (Brian that is the conversation in the link you provided). The BR200-WP only has one mode of operation at this point, though, and it is as a router - So therefore the only VPN tunnel possible from a BR200-WP is one that terminates on a CVG currently.
Photo of Abby S

Abby S, Employee

  • 94 Posts
  • 47 Reply Likes
PS, one quick note of clarification - I mean VPN tunnels. GRE tunnels are a whole other ball of wax, used for L3 and identity-based roaming, and a separate conversation!
Photo of David Douglas

David Douglas

  • 2 Posts
  • 0 Reply Likes
Abby,

Is there a guide in configuring those GRE Tunnels...Specifically Identity based tunnels?  I would like a solution for getting my branch office guests L2 access to the Guest VLAN at the main site. 

I understand that the same thing can be done with L2 VPN but to my understanding, I will need 2 dedicated AP's, one at each site, for this solution.  Because I already have an IPSec site to site VPN between the sites, I believe that L2 VPN between the 2 dedicated Aerohive devices is an overkill.  But, if this is the only way to do it then no problem.

I would also like to know the limitations in doing identity based tunnels other than that they do not support NAT-T and they are not secure because they are GRE.
(Edited)
Photo of Brian Powers

Brian Powers, Champ

  • 396 Posts
  • 92 Reply Likes
Did not know that. Thanks Abby.

And I guess the next logical question to ask is: Is this something that may change down the road?

In which you reply: We cannot talk about future products and/or changes. :-)

As for getting back to the original question, yes there are some guides around here somewhere. May dig through http://blogs.aerohive.com/ for some guidance. Maybe not a step by step guide, but the HiveManager help file details out what needs to be done to setup a L2 and a L3 VPN (pending you have the right hardware to do so).
Photo of D Caunt

D Caunt

  • 3 Posts
  • 0 Reply Likes
Thank you for the responses.

Obviously if I can't get the correct information, even from Aerohive then I have a problem. Especially as I purchased the recommended kit.
Photo of thewifigeek

thewifigeek, Champ

  • 86 Posts
  • 12 Reply Likes
L2 VPN is not possible between AP330 and BR200-WP.

Can you outline your solution use case and perhaps we could suggest other options?
Photo of Jason Hills

Jason Hills

  • 78 Posts
  • 3 Reply Likes
I'd just like to add another scenario to this....

I have a request to setup an IPSec VPN between an office which has 3rd party IPSec hardware, to a VPN connection with an AP330.

My query, is it possible for an AP330 to terminate an IPSec VPN with a non-aerohive IPSec hardware?

The office with the IPSec hardware, also does have a hive of AP330s, but since they already have an IPSec VPN in use, it would be easier to use that rather than setting up a new VPN.

thanks all... 
Photo of David Hogg

David Hogg

  • 1 Post
  • 0 Reply Likes
I think diagram explains what Abby was trying to say about what can be used as CVGs when and where.
Photo of Anjanesh Babu

Anjanesh Babu

  • 68 Posts
  • 7 Reply Likes
Aerohive L2 VPN setup is not very intuitive or clear unlike other parts of the documentation /setup.

We used the  Aerohive Branch on Demand Evaluation Guide guide as a reference to  setup our L2 VPN (AP330 to AP330 and AP330 to Hive OS Virtual Appliance ). Took a while getting to grips with the workflow but got there in the end.

http://www.aerohive.com/330000/docs/help/english/6.1r3/hm/full/Content/ref/doc.htm
--> Branch on Demand Evaluation guide.

And since this is classified as a configuration task (££) you may pay and get this setup by support should you feel inclined to do so.