The Unified Profile Tunnel Profile Screen displays information about configured Tunnel Profiles and is used to create, edit, and delete Guest Tunnel Profiles. When you create a Tunnel Profile, you configure the parameters that can be mapped to an Access Role Profile to authenticate a Guest Client, and map the client to a Guest UNP profile that is mapped to an L2 GRE service.
To create a Tunnel Profile, navigate to the Tunnel Profile screen by clicking on Network Access > Unified Access > Tunnel Profile under the “Configure” section of the OmniVista Cirrus Menu. The Tunnel Profile screen displays.
Creating a Tunnel Profile
Click on the Create Tunnel Profile icon and complete the fields as described below. When you are finished, click on the Create Tunnel Profile button. Each tunnel should have a unique Tunnel ID - GRE Tunnel Server/Data VPN Server pairing.
Profile Name - The Tunnel Profile name.
Tunnel ID - The VPN ID used for Access Role Profile mapping. (Range = 0 - 16777215, suggested range of 64001 - 65000). If the Tunnel ID is set to "0", no GRE Key is sent.
GRE Tunnel Server IP Address/Data VPN Server - The IP address of the Tunnel Termination Switch (GRE Tunnel Server/Data VPN Server) used for mapping to the Access Role Profile. Select a switch from the drop-down or enter an IP address.
MTU - Enter the MTU value. The recommended value is 1476 for RAW GRE and 1416 for GRE over wire guard interface. Leave it blank if you do not want to set a specific value.
Support of Entropy - Enables/Disables entropy. An ALE Switch acting as a GRE Tunnel Server requires Entropy; however, some third-party GRE Tunnel Servers (e.g., Linux) require no Entropy.
Allow Local Breakout - Enables/Disables Local Breakout on the tunnel. If enabled, enter the Static Route(s) to be used for entering the Tunnel. All other traffic will go out through the local network. Make sure you have applied the relevant Data VPN Server to AP Groups in the SSID before choosing Data VPN Server as the Tunnel endpoint. To apply a Data VPN Server to an AP Group, go to the AP Groups page (Network - AP Registration - AP Group) and edit the Data VPN Setting for the group. Note that only one VLAN inside the tunnel (tunnel ID different from 0 if tagged, 0 if untagged) can be enabled with Local Breakout.
Static Routes - Specify the static routes to be used for entering the tunnel. All other traffic will go out through the local network.
Avoid specifying static routes pertaining to the VLAN ID of the traffic that enters the Tunnel. For example, if VLAN ID = 41 is specified to be carried within the Tunnel and if the network subnet that corresponds to VLAN 41 is 192.168.41.0, the AP will automatically set up this route and make sure traffic destined for 192.168.41.0 will enter the Tunnel. The AP will automatically set up this route and make sure traffic with VLAN ID = 41 will enter the Tunnel. Do not specify an explicit Route with Destination = 192.168.41.0, as that will confuse the AP and lead to poor performance.
The static routes specified will be accumulated on an AP across all SSIDs assigned to the AP. For example, if you have two SSIDs configured on the same AP and configure SSID1 to use Tunnel Profile T1 with Static Routes A and B, and configure SSID2 to use Tunnel Profile T2 with Static Routes C and D, all of the routes (A, B, C, and D) will be applicable for SSID 1 and SSID 2.
Across all of the routes applied on an AP from the different SSIDs, make sure any destination IP subnet is specified only once. Each route applied on an AP should be for a different IP subnet, even across the SSIDs. Also, avoid specifying static routes pertaining to the VLAN ID of the traffic that enters the tunnel. The AP will automatically set up such routes. If a route to IP subnet X already exists in an SSID and that SSID is applied to an AP, another route to the same IP subnet X must not be specified in the same or a different SSID that is applied to the same AP.
If you create two tunnel profiles with the same Remote IP and Tunnel ID, the "Support of Entropy" status must be the same on both tunnels (both must be "enabled" or "disabled"). Choose the value based on what use case you plan to deploy.
Editing a Tunnel Profile
Select the profile in the Tunnel Profile List and click on the Edit icon to bring up the Edit Tunnel Profile Screen. Edit the fields as described above then click on the Save button to save the changes. Note that you cannot edit the profile name.
View Additional Information of a Tunnel Profile
Select the profile in the Tunnel Profile List and click on the Additional Information icon to view additional information for the selected profile.
Deleting a Tunnel Profile
Select the profile in the Tunnel Profile List, click on the Delete icon, then click Delete at the confirmation prompt.