2

Is it possible to extend the local VLANs to a Remote site connected by IPSEC VPN using ASA 5520 / Cisco 1841 DSL router.

can we have many VPN tunnels between the ASAs? (from every VLAN one vpn each?)

if not any other options/combinations available?

Falcon Momot
  • 24,975
  • 13
  • 61
  • 92
user204051
  • 21
  • 1
  • 2
  • I presume you're asking about L2 vlans? As in extending a broadcast domain over your tunnel? – EEAA Jan 01 '14 at 15:19

3 Answers3

2

Is it possible to extend the local VLANs to a Remote site connected by IPSEC VPN

No, per definition. IpSec is an IP level security tunnel. Vlans are ethernet level.

can we have many VPN tunnels between the ASAs

Yes. This is a maintenance nightmare if it gets too much and is not automated in management, but it is possible.

if not any other options/combinations available?

If you put up an ethernet tunnel between them - not sure this is possible - you can then use the "normal" VLAN packets.

http://www.cisco.com/en/US/docs/ios-xml/ios/interface/configuration/xe-3s/ir-eogre.html

has some information, though I am not sure this works on the 1841. But this would allow you to basically send ethernet frames with VLAN information embedded.

Alternatively a multi routing table setup may work - depends on WHY you have VLANS in the first place. or something based on MPLS - VPLS. The 1841 does not talk that one though.

More professional routers may allow something like NVGRE for that purpose. Well, not exactly professional - but the 1841 is more an edge level router not something to use in the core.

It seems that the 1841 can do VPLS - that would work best then. Requires you to configure a MPLS setup.

Main problem answering is that a lot of the choices depends on what you actually try to do from a business point of view and how much control you have over the routers at each endpoint.

TomTom
  • 50,857
  • 7
  • 52
  • 134
2

Normally you can extend your local LAN to a remote site using common IPsec / Layer 3. Search for Site-to-site, lan-to-lan ipsec VPN. There are a lot of options, my favorite one is to use GRE over IPsec, but you need routers on both ends. If you can tell us what devices you have available on hub/spoke sites it would help in order to give you a more specific answer.

If you want to extend your layer 2 network, which is not a very good idea for many reasons, I believe that the best option is to use L2TPv3 over IPsec. Again you need routers on both ends. You have to take care of many issues though, such as MTU sizes which could overload your router if you don't pay attention to details, broadcast, multicast, spanning-tree, redundancy etc which are handled easier on Layer3 VPN.

lacasitos
  • 346
  • 1
  • 4
  • +1 for example of a protocol combo that actually allows VLAN bridging over ip router boundaries (and the caveats of doing it). – ErikE Jan 01 '14 at 18:48
0

You can use NAT on the ASA and router IPSec tunnel to connect the overlapping subnets. You can put additional subnets in the IPSec tunnel by adding them to the IPSec tunnel protected networks (the ACL referenced by the tunnel configuration), instead of creating a tunnel for each subnet to subnet connection. If the devices at each site have to communicate with each other at layer 2, you will need to extend the LAN with a layer 2 wan link or layer 2 tunneling protocol. If you use NAT on an IPSec tunnel, the devices at each site will not be able to communicate with each other at layer 2.

Tim
  • 106
  • 4