I am facing a nasty situation where i need to connect two sites together using an IPSec tunnel over the internet. The nasty part is where both sites have a VLAN that needs to be interconnected.. both in the same subnet. I am wondering if it is possible to stretch this VLAN between the two sites using an IPSec tunnel.
This gives the following setup:
VLAN1000 -> PA500 <-> (IPSec over INTERNET) <-> PA500 <-VLAN1000
Ideal would be QinQ tunneling where i could stack multiple VLAN's over this tunnel (even though i agree that preferably these sites would have routed interconnections :smileywink:).
Is there anyone familiar with a setup similar to this?
In my point of view, this configuration is not possible.
IPSec require DIFFERENT IP range between source and destination.
Moreover, broadcast traffic are dropped by Layer 3 devices. No broadcast, no ARP reply, no connectivity in Ethernet world...
There are other products which can do a L2-bridge VPN such as the Farist VPN among others so its doable but in most products doing VPN it doesnt seem to be a default feature.
What happens is that any packet that arrives on a physical or VLAN interface is encapsulated with the VPN stuff and sent as L3 to the other side which will unwrap the VPN stuff and then just send the packet further as L2 - similar to how two switches would do (well switches wouldnt convert the packet into an encrypted L3 packet but still :-).
Another drawback is that most L2-bridge VPN solutions are propertiary in one way or another which gives that it will most likely not work unless you have PA boxes on both ends (in case your feature request will be taken care of).
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!