https://live.paloaltonetworks.com/t5/general-topics/stretching-l2-vlan-s-over-ipsec-tunnel/m-p/26710#M19503 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>In my point of view, this configuration is not possible.</P><P>IPSec require DIFFERENT IP range between source and destination.</P><P>Moreover, broadcast traffic are dropped by Layer 3 devices. No broadcast, no ARP reply, no connectivity in Ethernet world...</P><P></P><P>Regards,</P><P></P><P>HA </P></BODY></HTML> Fri, 15 Feb 2013 07:36:51 GMT licenselu 2013-02-15T07:36:51Z https://live.paloaltonetworks.com/t5/general-topics/stretching-l2-vlan-s-over-ipsec-tunnel/m-p/26709#M19502 <HTML><HEAD></HEAD><BODY><P>Hi All,</P><P></P><P>I am facing a nasty situation where i need to connect two sites together using an IPSec tunnel over the internet. The nasty part is where both sites have a VLAN that needs to be interconnected.. both in the same subnet. I am wondering if it is possible to stretch this VLAN between the two sites using an IPSec tunnel.</P><P></P><P>This gives the following setup:</P><P>VLAN1000 -&gt; PA500 &lt;-&gt; (IPSec over INTERNET) &lt;-&gt; PA500 &lt;-VLAN1000</P><P></P><P>Ideal would be QinQ tunneling where i could stack multiple VLAN's over this tunnel (even though i agree that preferably these sites would have routed interconnections <img id="smileywink" class="emoticon emoticon-smileywink" src="https://live.paloaltonetworks.com/i/smilies/16x16_smiley-wink.png" alt="Smiley Wink" title="Smiley Wink" />).</P><P></P><P>Is there anyone familiar with a setup similar to this?</P><P></P><P>Regards,</P><P></P><P>Bas</P></BODY></HTML> Thu, 14 Feb 2013 19:36:46 GMT https://live.paloaltonetworks.com/t5/general-topics/stretching-l2-vlan-s-over-ipsec-tunnel/m-p/26709#M19502 bsanders 2013-02-14T19:36:46Z https://live.paloaltonetworks.com/t5/general-topics/stretching-l2-vlan-s-over-ipsec-tunnel/m-p/26710#M19503 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>In my point of view, this configuration is not possible.</P><P>IPSec require DIFFERENT IP range between source and destination.</P><P>Moreover, broadcast traffic are dropped by Layer 3 devices. No broadcast, no ARP reply, no connectivity in Ethernet world...</P><P></P><P>Regards,</P><P></P><P>HA </P></BODY></HTML> Fri, 15 Feb 2013 07:36:51 GMT https://live.paloaltonetworks.com/t5/general-topics/stretching-l2-vlan-s-over-ipsec-tunnel/m-p/26710#M19503 licenselu 2013-02-15T07:36:51Z https://live.paloaltonetworks.com/t5/general-topics/stretching-l2-vlan-s-over-ipsec-tunnel/m-p/26711#M19504 <HTML><HEAD></HEAD><BODY><P>There are other products which can do a L2-bridge VPN such as the Farist VPN among others so its doable but in most products doing VPN it doesnt seem to be a default feature.</P><P></P><P>What happens is that any packet that arrives on a physical or VLAN interface is encapsulated with the VPN stuff and sent as L3 to the other side which will unwrap the VPN stuff and then just send the packet further as L2 - similar to how two switches would do (well switches wouldnt convert the packet into an encrypted L3 packet but still :-).</P><P></P><P>Another drawback is that most L2-bridge VPN solutions are propertiary in one way or another which gives that it will most likely not work unless you have PA boxes on both ends (in case your feature request will be taken care of).</P></BODY></HTML> Fri, 15 Feb 2013 08:04:06 GMT https://live.paloaltonetworks.com/t5/general-topics/stretching-l2-vlan-s-over-ipsec-tunnel/m-p/26711#M19504 mikand 2013-02-15T08:04:06Z https://live.paloaltonetworks.com/t5/general-topics/stretching-l2-vlan-s-over-ipsec-tunnel/m-p/26712#M19505 <HTML><HEAD></HEAD><BODY><P>PEPLINK also supports L2VPN...</P></BODY></HTML> Fri, 15 Feb 2013 08:06:13 GMT https://live.paloaltonetworks.com/t5/general-topics/stretching-l2-vlan-s-over-ipsec-tunnel/m-p/26712#M19505 licenselu 2013-02-15T08:06:13Z https://live.paloaltonetworks.com/t5/general-topics/stretching-l2-vlan-s-over-ipsec-tunnel/m-p/26713#M19506 <HTML><HEAD></HEAD><BODY><P>If your a Cisco shop, check out OTV...</P><P><A href="http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9402/qa_c67-574969.html">http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9402/qa_c67-574969.html</A></P><P></P><P>Mike</P></BODY></HTML> Fri, 15 Feb 2013 20:52:12 GMT https://live.paloaltonetworks.com/t5/general-topics/stretching-l2-vlan-s-over-ipsec-tunnel/m-p/26713#M19506 msullivan 2013-02-15T20:52:12Z