Table of Contents

Initial setup

I recently did a manual S-CLI configuration for a VPN-L2 IPSec under HiveManager NG with the Build Version: 11.17.8.1. In my case, the VPN Server was an Access Point AP250 and two different AP130 as a VPN Client.

As a quick remind, the main objects you need:

VPN pool client size - in my case only four
VPN IP Server - an 802.11ac access point or a Virtual HiveOS server
HiveManager NG Certificates - you have to download from NG (Default_CA.cer, Default-Server_cert.cer, Default-Server_key.cer)

Server Supplemental CLI

This is the Supplemental CLI, Server side:

vpn client-ip-pool VPN-IP-Pool local 192.168.5.100 192.168.5.103 netmask 255.255.255.252
vpn xauth-client-list VPN-Client-List local
vpn server-ipsec-tunnel VPN-Primary-Server
vpn ipsec-tunnel VPN-Primary-Server client-list VPN-Client-List client-ip-pool VPN-IP-Pool dns-server 192.168.5.2
vpn tunnel-policy vpn_tunnel_policy server ipsec-tunnel VPN-Primary-Server
vpn xauth-client-list VPN-Client-List client-name AP130-001 password Static-Password-001
vpn xauth-client-list VPN-Client-List client-name AP130-002 password Static-Password-002

The management interface of the server is 192.168.5.10

Client Supplemental CLI

AP130-001 is the first VPN client and AP130-002 is the second client. Pick up a password for each one and build your client side S-CLI: In this case 192.168.5.10 is the VPN Server, the AP250.

Client n.1:

vpn client-ipsec-tunnel VPN_client_ipsec_1
vpn ipsec-tunnel VPN_client_ipsec_1 gateway 192.168.5.10 client-name AP130-001 password Static-Password-001
vpn tunnel-policy vpn_tunnel_policy client ipsec-tunnel VPN_client_ipsec_1 primary
user-profile UserProfile-VPN-IPSec tunnel-policy vpn_tunnel_policy

Client n.2:

vpn client-ipsec-tunnel VPN_client_ipsec_2
vpn ipsec-tunnel VPN_client_ipsec_1 gateway 192.168.5.10 client-name AP130-002 password Static-Password-002
vpn tunnel-policy vpn_tunnel_policy client ipsec-tunnel VPN_client_ipsec_1 primary
user-profile UserProfile-VPN-IPSec tunnel-policy vpn_tunnel_policy

User profile configuration

Under the Network Policy, the UserProfile-VPN-IPSec of the choosed SSID should be like this:

manual_VPN_L2_HiveOS.png

Certificates

Now it’s time to copy the CA and the Server Certs file (key and cert). Copy the files under a local folder (here /Users/roberto/NG), and start to save into the AP:

save vpn ca-cert scp://roberto@192.168.10.120:/Users/roberto/NG/Default_CA.cer
save vpn ee-cert scp://roberto@192.168.10.120:/Users/roberto/NG/Default-Server_cert.cer
save vpn private-key scp://roberto@192.168.10.120:/Users/roberto/NG/Default-Server_key.cer

You have to do it for all the devices.

Check the status of your VPN health with:

show vpn ipsec sa

Enjoy!