Tunnel Profile

The Unified Profile Tunnel Profile Screen displays all configured Tunnel Profiles and is used to create, edit, and delete Guest Tunnel Profiles. When you create a Tunnel Profile, you configure the parameters that can be mapped to an Access Role Profile to authenticate a Guest Client, and map the client to a Guest UNP profile that is mapped to an L2 GRE service.

The Guest Tunnel feature is supported on OS6860, 6860E, and 6865 (AOS 8.4.1.R02 and later), and Stellar APs OAW-AP1101, OAW-AP1221, OAW-AP1222, OAW-AP1231, OAW-AP1232, OAW-AP1251 (AWOS 3.0.2.x and later), OAW-1201 (AWOS 3.0.5MR2 and later), and OAW-AP1201L (AWOS 3.0.7.x and later).

Creating a Tunnel Profile

Click on the Add icon and complete the fields as described below. When you are finished, click on the Create button. Each tunnel should have a unique Tunnel ID - GRE Tunnel Server/Data VPN Server pairing.

• Name - The Tunnel Profile name.
• Tunnel ID - The VPN ID used for Access Role Profile mapping. (Range = 0 - 16777215, suggested range of 64001 - 65000). If the Tunnel ID is set to "0", no GRE Key is sent.
• GRE Tunnel Server IP Address/Data VPN Server - The IP address of the Tunnel Termination Switch (GRE Tunnel Server/Data VPN Server) used for mapping to the Access Role Profile. Select a switch from the drop-down or enter an IP address.
• Backup GRE Tunnel Server IP Address - The IP address of a backup GRE Tunnel Server to provide GRE tunnel redundancy between an AP and GRE Tunnel Server. Select a switch from the drop-down or enter an IP address. When the primary GRE Tunnel Server IP address goes down, the backup Tunnel Server takes over. Note that configuring a backup tunnel between an AP and the GRE Tunnel Server is supported on AWOS 4.0.5.15 or later.
• Keepalive Interval - The time interval, in seconds, for APs to check the status of the far-end IP address for the GRE Tunnel Server. (Range = 2 - 5 seconds, Default = 5 seconds)
• Response Timeout - The amount of time, in seconds, to wait for a response from the GRE Tunnel Server to keepalive requests. (Default = 2 seconds)
• Retries - The number of times to retry after a failed Keepalive request. (Range = 3 - 5, Default = 3). A failover to the backup GRE Tunnel Server IP address occurs after the last retry has failed.
• Preemption - Enables/Disables whether to go back to the primary GRE Tunnel Server. (Default = Disabled). When enabled:
  • Preemption Countdown Timer - Specify the amount of time to wait, in seconds, after a failover to the backup GRE Tunnel Server before attempting to go back to the primary GRE Tunnel Server. The countdown timer restarts on every switchover to the backup server. (Default = 300 seconds)
• MTU - Specify the MTU value for the GRE Tunnel. The recommended value is 1476 for Raw GRE and 1416 for GRE over wireguard interface. Leave this value blank if you do not want to set a specific value.
• TCPMSS - Specify the TCPMSS value for the GRE Tunnel (Range = 500 - 1426, Default = 1250).
• Support of Entropy - Enables/Disables entropy. An ALE Switch acting as a GRE Tunnel Server requires Entropy; however, some third-party GRE Tunnel Servers (e.g., Linux) require no Entropy.
• Allow Local Breakout - Enables/Disables Local Breakout on the tunnel. If enabled, enter the Static Route(s) to be used for entering the Tunnel. All other traffic will go out through the local network. Make sure you have applied the relevant Data VPN Server to AP Groups in the SSID before choosing Data VPN Server as the Tunnel endpoint. To apply a Data VPN Server to an AP Group, go to the AP Groups page (Network - AP Registration - AP Group) and edit the Data VPN Setting for the group. Note that only one VLAN inside the tunnel (tunnel ID different from 0 if tagged, 0 if untagged) can be enabled with Local Breakout.
  • Static Routes - Specify the static routes to be used for entering the tunnel. All other traffic will go out through the local network.
    • Avoid specifying static routes pertaining to the VLAN ID of the traffic that enters the Tunnel. For example, if VLAN ID = 41 is specified to be carried within the Tunnel and if the network subnet that corresponds to VLAN 41 is 192.168.41.0, the AP will automatically set up this route and make sure traffic destined for 192.168.41.0 will enter the Tunnel. The AP will automatically set up this route and make sure traffic with VLAN ID = 41 will enter the Tunnel. Do not specify an explicit Route with Destination = 192.168.41.0, as that will confuse the AP and lead to poor performance.
• The static routes specified will be accumulated on an AP across all SSIDs assigned to the AP. For example, if you have two SSIDs configured on the same AP and configure SSID1 to use Tunnel Profile T1 with Static Routes A and B, and configure SSID2 to use Tunnel Profile T2 with Static Routes C and D, all of the routes (A, B, C, and D) will be applicable for SSID 1 and SSID 2.  
• Across all of the routes applied on an AP from the different SSIDs, make sure any destination IP subnet is specified only once. Each route applied on an AP should be for a different IP subnet, even across the SSIDs. Also, avoid specifying static routes pertaining to the VLAN ID of the traffic that enters the tunnel. The AP will automatically set up such routes. If a route to IP subnet X already exists in an SSID and that SSID is applied to an AP, another route to the same IP subnet X must not be specified in the same or a different SSID that is applied to the same AP.

Note: If you create two tunnel profiles with the same Remote IP and Tunnel ID, the "Support of Entropy" status must be the same on both tunnels (both must be "enabled" or "disabled"). Choose the value based on what use case you plan to deploy. The following are the four possible use cases that are supported:

1. GRE Tunnel from AP to AOS Switch - This is the typical Guest Tunnel uses case where AOS acts as the Guest Tunnel Termination Switch. The AOS Switch expects the Tunnel ID to be non-0 and "Support of Entropy" must be "Enabled".

2. GRE Tunnel from AP to Non-AOS Switch/Server (e.g., Nokia 7750 SR/Standard Linux Tunnel Server) - This is the Guest Tunnel use case with a non-AOS switch. The Tunnel ID must be 0 and "Support of Entropy" must be "Disabled", as the Key field in L2GRE header is not expected by the Switch/Server.

3. GRE Tunnel Between AP and OV VPN Server Appliance - This is the regular Data VPN tunnel use case between Remote APs and and an OV VPN Server acting as the Data VPN Server. The Tunnel ID must be 0 and "Support of Entropy" must be "Disabled", as the Key field in L2GRE header is not expected by OV VPN Server.

4. GRE Tunnel from AP to AOS Switch, Over the Data VPN tunnel Between AP and OV VPN Server Appliance - This is a rare use case of using the Data VPN tunnel to reach from a remote site where the AP is located, to the Central Site where the AOS Switch is located. The AOS Switch expects the Tunnel ID to be non-0 and "Support of Entropy" must be "Enabled".

The following combinations of values are not supported:

• Tunnel ID > 0 and Support of Entropy = Disabled  
• Tunnel ID = 0 and Support of Entropy = Enabled.

Editing a Tunnel Profile

Select the profile in the Tunnel Profile List and click on the Edit icon to bring up the Edit Tunnel Profile Screen. Edit the fields as described above then click on the Apply button to save the changes. Note that you cannot edit the profile name.

Deleting a Tunnel Profile

Select the profile in the Tunnel Profile List, click on the Delete icon, then click OK at the confirmation prompt.

Tunnel Profile List

• Name - The Tunnel Profile name.
• Tunnel ID - The VPN ID used for Access Role Profile mapping.
• GRE Tunnel Server IP Address/Data VPN Server - The IP Address of the Tunnel Termination Switch (GRE Tunnel Server/Data VPN Server) used for mapping to the Access Role Profile.
• Backup GRE Tunnel Server IP Address - The IP address of a backup GRE Tunnel Server to provide GRE tunnel redundancy between an AP and GRE Tunnel Server. .Note that configuring a backup tunnel between an AP and the GRE Tunnel Server is supported on AWOS 4.0.5.15 or later.
• Keepalive Interval - The time interval, in seconds, for APs to check the status of the far-end IP address for the GRE Tunnel Server.
• Response Timeout - The amount of time, in seconds, to wait for a response from the GRE Tunnel Server to keepalive requests.
• Retries - The number of times to retry after a failed Keepalive request.
• Preemption - The administrative status on whether to go back to the primary GRE Tunnel Server (Enabled/Disabled).
• Preemption Countdown Timer - If Preemption is enabled, this timer specifies the amount of time to wait after a failover to the backup GRE Tunnel Server before attempting to go back to the primary GRE Tunnel Server.
• Entropy Status - The administrative status of Entropy on the tunnel (Enabled/Disabled).
• Local Breakout Status - The administrative status of Local Breakout on the tunnel (Enabled/Disabled).
• Static Routes - The Local Breakout Static Route(s), if applicable.