I have a question about connecting two LANs (logically same LAN) over a VPN. In picture below you can see overall representation of our implementation.
On each side, we have distinct sites with AAA servers (both servers share same base). We have 2 VLANs. For normal users (who can pass authentication) and guests.
Guests can only get to the Internet. Normal users can get to the Internet, and, if needed connect to co-workers at the other site.
So, an IPsec + NAT configuration should work well.
The main problem is outgoing IPsec packets from one router will be "stripped" on the site side of another router. How, in this situation, do we put this packet in VLAN 10 (for normal users) if we lose the VLAN tag information?
I hope I was clear in description of problem.
In short: How do we put packets, coming from IPsec, in VLAN 10 (for normal users), or is there any way to propagate a VLAN?
If the packet's destination address belongs to the IP subnet on VLAN 10, then the router will forward the packet onto that VLAN. I am assuming that the IP subnet for VLAN 10 is different at each site.
"VPN" is the wrong term here. That implies a layer-3 (IP) transport between sites.
Based on your diagram, 10.0/16 is the subnet on both sites. For that to work, one would need a bridge between sites. An IOS tunnel interface could achieve this. (as could several other methods) Bridge "VLAN 10" (whatever interface that may be) and the tunnel interface, and it should work [tunnel and vlan remain layer-2 interfaces; the BVI handles layer-3.] Some tweaking would be required to keep the DHCP domains isolated -- since this creates one broadcast domain.
A better solution would be to segment each site into it's own subnet. And place each guest lan into an isolated, local-only VLAN. Then let routing and VPN(s) (tunnel or not) handle everything. VRF and/or ACLs can isolate and restrict guest access.
VLANs are layer-2 domains, and they end at a layer-3 boundary (router). A layer-2 frame is stripped from the layer-3 packet at the first router it encounters. When the layer-3 packet reaches the second router, a new layer-2 frame will encapsulate the packet for the VLAN of the destination subnet.
I have a question about connecting two LANs (logically same LAN) over a VPN. In picture below you can see overall representation of our implementation. Description: On each side, we have distinct sites with AAA servers (both servers share same base).
Is it possible to extend the local VLANs to a Remote site connected by IPSEC VPN using ASA 5520 / Cisco 1841 DSL router. can we have many VPN tunnels between the ASAs? (from every VLAN one vpn each?) if not any other options/combinations available? -
Is it possible to replace a Cisco VPN IPSec concentrator with Ubuntu and for instance Strongswan? 1) Do Strongswan implement the same protocolls that Cisco uses? 2) Can we retrieve keys from the Cisco concentrator and import them to the Ubuntu-box, i
If I wanted to connect one network to another network, across the internet I was going to use (something I saw in a diagram on a website) called a "vpn router", which, i got the impression creates the vpn tunnel either side of the internet, the
I keep getting random dropouts for my VPN tunnel, it only happens rarely (~twice a week) if I do a "service ipsec restart" then it immediately starts working again. Really annoying as I'm try to replicate a large VM to our DR site and everytime
I'd like to do Site-to-Site bridging with an IPsec VPN. How do I do that? On the local side, I have a DrayTec Vigor2910, it is supposed to be able to manage IPsec tunnels. I need to have several VPN tunnels to various sites, but how exactly do I do t
We've had an existing VPN between a 5505 and 870 for some time. We've just added VLANs to the network on the 5505 side. We can't seem to figure out how to get devices on the VLANs to communicate with devices on the 870 network which have no VLANs. We
Pretty simple - if I have two WANs, will the site-to-site VPN work if I specify the WAN2 IP address? (It currently works with the WAN1 IP.) --------------Solutions------------- The answer is No, it will not work. However, if you set up the correct fi
I have a IPSec/L2TP (PSK) VPN I'm connecting to with OSX's built in client through the System Preferences > Network (in Lion/10.7.2). The VPN gives me an IP of 10.0.1/24, but I need to access servers within the whole 10/8 and 172.16/16 range. By defa
I had configured my server (server1) to connect to another server(server2) over a VPN with IPsec (secure vpn). But now I need to setup another VPN (work vpn) so I will be able to connect to my server(server1) and access to the other server (server2).
The VPN I use on my home Windows computer to connect to my company's servers is a Cisco client. The client is configured to use "IPSec over UDP (NAT/PAT)". Why would you use UDP, an "unreliable" protocol, for a secure tunnel? Wouldn't
Firstly, is this possible? The situation: 2 different ISP's. One has several servers and a firewall running. The other is limited to only one virtual server with one network card running windows server 2008r2. I need to set up a site-to-site style VP
I have 2 hosts connected with IPv6 VPN. I am using IPv4 internal addresses for machines connected internally and use subnets addressed for these in ipv4. When a host wants to scp a 1 Gig file pull from a remote machine ( with ipv4 internal ip ), the
I have a network that has a single point of entry the WAN. The WAN exposes about 10 static IP's that resolve internally to servers that are in the same subnet. Meaning that if you RDP over 3389 to SQLPrimary1 from it you can RDP to all the other devi
Let's assume both, my VPN client and VPN gateway has public and private keys. I encrypt my request with VPN gateway's public key. VPN gateway gets the request, decrypts it with private key. Then, VPN gateway encrypts the shared secret key it generate
Im trying to connect my Android device (5.0.2) to my Windows Server 2012 R2 IPSec VPN but the firewall pops up a error saying "No Proposal Chosen". Ive looked around and it seems the encryption is wrong on either the server and/or client side. I
We have bought a firewall (sonicwall nsa) and it comes with 2 SSLVPN license. With it, we also can download NetExtender, which I understood it as establishing some sort of VPN session between the local client and our firewall, and make the local PC p
I've set an EasyVPN on a cisco, when connected to the vpn i'm unable to use internet even the default route is through the tun0 interface created by my VPN client vpnc. Please how to connect to VPN and have internet ? to browse others sites ? -------
Looking for a recommendation on a device (or devices I guess) to do router/firewall/vpn/vlan/nat functons for my home network. Right now, I'm doing this with an IPCop box, but I'd prefer a little less roll-ur-own. Requirements: VLANs to segment traff