Home > cisco > Propagate VLAN through VPN (IPsec)?

Propagate VLAN through VPN (IPsec)?

November 5Hits:1

I have a question about connecting two LANs (logically same LAN) over a VPN. In picture below you can see overall representation of our implementation.


On each side, we have distinct sites with AAA servers (both servers share same base). We have 2 VLANs. For normal users (who can pass authentication) and guests.

Guests can only get to the Internet. Normal users can get to the Internet, and, if needed connect to co-workers at the other site.

So, an IPsec + NAT configuration should work well.

The main problem is outgoing IPsec packets from one router will be "stripped" on the site side of another router. How, in this situation, do we put this packet in VLAN 10 (for normal users) if we lose the VLAN tag information?

I hope I was clear in description of problem.

In short: How do we put packets, coming from IPsec, in VLAN 10 (for normal users), or is there any way to propagate a VLAN?

Propagate VLAN through VPN (IPsec)?


If the packet's destination address belongs to the IP subnet on VLAN 10, then the router will forward the packet onto that VLAN. I am assuming that the IP subnet for VLAN 10 is different at each site.

"VPN" is the wrong term here. That implies a layer-3 (IP) transport between sites.

Based on your diagram, 10.0/16 is the subnet on both sites. For that to work, one would need a bridge between sites. An IOS tunnel interface could achieve this. (as could several other methods) Bridge "VLAN 10" (whatever interface that may be) and the tunnel interface, and it should work [tunnel and vlan remain layer-2 interfaces; the BVI handles layer-3.] Some tweaking would be required to keep the DHCP domains isolated -- since this creates one broadcast domain.

A better solution would be to segment each site into it's own subnet. And place each guest lan into an isolated, local-only VLAN. Then let routing and VPN(s) (tunnel or not) handle everything. VRF and/or ACLs can isolate and restrict guest access.

VLANs are layer-2 domains, and they end at a layer-3 boundary (router). A layer-2 frame is stripped from the layer-3 packet at the first router it encounters. When the layer-3 packet reaches the second router, a new layer-2 frame will encapsulate the packet for the VLAN of the destination subnet.

VxLAN can perform what you needs.

Basically, it's VLAN encapsulation in IP (UDP) packets.

If your routers do not support it you can insert VxLAN gateway in front of them.

Related Articles

  • Propagate VLAN through VPN (IPsec)?

    Propagate VLAN through VPN (IPsec)?November 5

    I have a question about connecting two LANs (logically same LAN) over a VPN. In picture below you can see overall representation of our implementation. Description: On each side, we have distinct sites with AAA servers (both servers share same base).

  • VLAN over VPN (ASA 5520)? if not any other options available?January 1

    Is it possible to extend the local VLANs to a Remote site connected by IPSEC VPN using ASA 5520 / Cisco 1841 DSL router. can we have many VPN tunnels between the ASAs? (from every VLAN one vpn each?) if not any other options/combinations available? -

  • Replace a Cisco VPN IPSec concentrator with an Ubuntu-boxNovember 9

    Is it possible to replace a Cisco VPN IPSec concentrator with Ubuntu and for instance Strongswan? 1) Do Strongswan implement the same protocolls that Cisco uses? 2) Can we retrieve keys from the Cisco concentrator and import them to the Ubuntu-box, i

  • Is this a VLAN or VPN?December 31

    If I wanted to connect one network to another network, across the internet I was going to use (something I saw in a diagram on a website) called a "vpn router", which, i got the impression creates the vpn tunnel either side of the internet, the

  • Vyatta VPN IPsec tunnel random dropoutsApril 3

    I keep getting random dropouts for my VPN tunnel, it only happens rarely (~twice a week) if I do a "service ipsec restart" then it immediately starts working again. Really annoying as I'm try to replicate a large VM to our DR site and everytime

  • How to create a VPN/IPSEC between two serversDecember 14

    I want to create a VPN/IPSEC between my two servers ubuntu 14.04. What tool should I use and how to configure it. thank you.

  • How to bridge two networks via VPN (IPsec)?October 5

    I'd like to do Site-to-Site bridging with an IPsec VPN. How do I do that? On the local side, I have a DrayTec Vigor2910, it is supposed to be able to manage IPsec tunnels. I need to have several VPN tunnels to various sites, but how exactly do I do t

  • Cant route VLAN over VPN between Cisco ASA 5505 and Cisco 870November 20

    We've had an existing VPN between a 5505 and 870 for some time. We've just added VLANs to the network on the 5505 side. We can't seem to figure out how to get devices on the VLANs to communicate with devices on the 870 network which have no VLANs. We

  • Will a Checkpoint Safe@Office 500WP Respond to Site to Site VPN (IPSec) on WAN2?September 21

    Pretty simple - if I have two WANs, will the site-to-site VPN work if I specify the WAN2 IP address? (It currently works with the WAN1 IP.) --------------Solutions------------- The answer is No, it will not work. However, if you set up the correct fi

  • Automatically setting custom routes with the internal VPN (IPSec/L2TP) clientNovember 18

    I have a IPSec/L2TP (PSK) VPN I'm connecting to with OSX's built in client through the System Preferences > Network (in Lion/10.7.2). The VPN gives me an IP of 10.0.1/24, but I need to access servers within the whole 10/8 and 172.16/16 range. By defa

  • Forward trafic from secure VPN (ipsec) to PPTP

    Forward trafic from secure VPN (ipsec) to PPTPNovember 29

    I had configured my server (server1) to connect to another server(server2) over a VPN with IPsec (secure vpn). But now I need to setup another VPN (work vpn) so I will be able to connect to my server(server1) and access to the other server (server2).

  • Why does VPN IPSec client use UDP?October 5

    The VPN I use on my home Windows computer to connect to my company's servers is a Cisco client. The client is configured to use "IPSec over UDP (NAT/PAT)". Why would you use UDP, an "unreliable" protocol, for a secure tunnel? Wouldn't

  • VPN ipsec tunnel from router to single windows server computer (gateway-to-host)October 9

    Firstly, is this possible? The situation: 2 different ISP's. One has several servers and a firewall running. The other is limited to only one virtual server with one network card running windows server 2008r2. I need to set up a site-to-site style VP

  • Slow SCP tranfers over IPv6 VPN IPSec which has IPv4 private subnetsNovember 7

    I have 2 hosts connected with IPv6 VPN. I am using IPv4 internal addresses for machines connected internally and use subnets addressed for these in ipv4. When a host wants to scp a 1 Gig file pull from a remote machine ( with ipv4 internal ip ), the

  • Questions on IDS, IPS, VLANs and VPN December 9

    I have a network that has a single point of entry the WAN. The WAN exposes about 10 static IP's that resolve internally to servers that are in the same subnet. Meaning that if you RDP over 3389 to SQLPrimary1 from it you can RDP to all the other devi

  • How does VPN (IPSec) work?

    How does VPN (IPSec) work?January 12

    Let's assume both, my VPN client and VPN gateway has public and private keys. I encrypt my request with VPN gateway's public key. VPN gateway gets the request, decrypts it with private key. Then, VPN gateway encrypts the shared secret key it generate

  • Android client to Windows Server 2012 R2 VPN IPSec: Firewall says "No proposal chosen"June 1

    Im trying to connect my Android device (5.0.2) to my Windows Server 2012 R2 IPSec VPN but the firewall pops up a error saying "No Proposal Chosen". Ive looked around and it seems the encryption is wrong on either the server and/or client side. I

  • VPN IPSec on a user's local laptop, or SSL VPN?October 10

    We have bought a firewall (sonicwall nsa) and it comes with 2 SSLVPN license. With it, we also can download NetExtender, which I understood it as establishing some sort of VPN session between the local client and our firewall, and make the local PC p

  • Cisco client to site VPN IPSECJune 21

    I've set an EasyVPN on a cisco, when connected to the vpn i'm unable to use internet even the default route is through the tun0 interface created by my VPN client vpnc. Please how to connect to VPN and have internet ? to browse others sites ? -------

  • Need prosumer router/firewall/vpn/vlan/nat advice October 7

    Looking for a recommendation on a device (or devices I guess) to do router/firewall/vpn/vlan/nat functons for my home network. Right now, I'm doing this with an IPCop box, but I'd prefer a little less roll-ur-own. Requirements: VLANs to segment traff

Copyright (C) 2017 ceus-now.com, All Rights Reserved. webmaster#ceus-now.com 14 q. 0.327 s.