Stretching L2 VLAN's over IPSec tunnel

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L2 Linker

Stretching L2 VLAN's over IPSec tunnel

Hi All,

I am facing a nasty situation where i need to connect two sites together using an IPSec tunnel over the internet. The nasty part is where both sites have a VLAN that needs to be interconnected.. both in the same subnet. I am wondering if it is possible to stretch this VLAN between the two sites using an IPSec tunnel.

This gives the following setup:

VLAN1000 -> PA500 <-> (IPSec over INTERNET) <-> PA500 <-VLAN1000

Ideal would be QinQ tunneling where i could stack multiple VLAN's over this tunnel (even though i agree that preferably these sites would have routed interconnections :smileywink:).

Is there anyone familiar with a setup similar to this?

Regards,

Bas

Tags (2)
Highlighted
L4 Transporter

Hello,

In my point of view, this configuration is not possible.

IPSec require DIFFERENT IP range between source and destination.

Moreover, broadcast traffic are dropped by Layer 3 devices. No broadcast, no ARP reply, no connectivity in Ethernet world...

Regards,

HA

Highlighted
L6 Presenter

There are other products which can do a L2-bridge VPN such as the Farist VPN among others so its doable but in most products doing VPN it doesnt seem to be a default feature.

What happens is that any packet that arrives on a physical or VLAN interface is encapsulated with the VPN stuff and sent as L3 to the other side which will unwrap the VPN stuff and then just send the packet further as L2 - similar to how two switches would do (well switches wouldnt convert the packet into an encrypted L3 packet but still :-).

Another drawback is that most L2-bridge VPN solutions are propertiary in one way or another which gives that it will most likely not work unless you have PA boxes on both ends (in case your feature request will be taken care of).

Highlighted
L4 Transporter

PEPLINK also supports L2VPN...

Highlighted
L3 Networker

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!