5

I'd like to set up site-to-site IPsec in bridged mode: that is, where the hosts in each site don't need to be modified to use the IPsec gateway, but the IPsec gateway acts as a pseudowire.

My plan to do this is:

  1. Set up host-to-host IPsec on each gw
  2. Set up L2TP (over IPsec) btwn each gw
  3. Bridge the eth0 and the lt2p-eth on each gw

After that, any Layer 2 packets that reach eth0 of any gw should automatically be tunneled (L2TP) securely (IPsec) to the other gateways.

Is this correct? Is this the recommended approach?

Also: How do I do this for > 2 gateways? Does each gateway need both an IPsec SA and a L2TP tunnel with every other gw? Ideally, I'd like to make it so that gw's don't need explicit knowledge of every other individual gw, but I can't find a reliable or even standard way to do so.

SRobertJames
  • 63
  • 1
  • 4
  • Why do this at L2 instead of L3? Even with a router L3 tunnel, systems still don't need to "be modified" to be able to use the tunnel. As long as their gateway knows about it, they'll be able to communicate just fine. – EEAA Jun 15 '15 at 16:11
  • Yes, but you need to modify their gateway. I'm dealing with a bunch of embedded devices where even modifying anything - even as simple as a gateway - is difficult. So I want it be to 100% transparent, just drop in. – SRobertJames Jun 15 '15 at 16:42
  • Do they not already have a gateway? – EEAA Jun 15 '15 at 16:43
  • No - they're all on the same LAN currently. – SRobertJames Jun 15 '15 at 17:42
  • did you implement this setup? is it working? – Maxxer Jun 28 '18 at 13:02

1 Answers1

1

It is my personal experience that this is possible but not recommended. In fact, I want to communicate to you that you should never ever use this configuration. Let me explain

Layer 2 bridge mode is intended to not make any routing decisions, IPSEC VPNs require routing in order to be move the packets over the VPN. In fact, a host machine never knows what is passed beyond it's own gateway. It sends all traffic to the gateway (unless in the same subnet) and the gateway performs all the routing for the host. The host is never aware of anything more from that point. Layer 2 routing is done with MAC addresses. To perform layer 2 routing you must know all the MAC addresses in order to move them in a another direction.

In a network configuration, the hosts do not know they are going over the VPN tunnel and the tunneling is performed ""automatically"" without the knowledge of the host computer.

Getting back on topic. L2TP and IPSEC would be redundant. You do not want to perform both as your device will want to choose one or other, causing a routing conflict. You would not be able to force L2TP over the VPN tunnel. When both tunnels your router would have to make a decision which to go over. This would probally be determined by which routes were 1) higher priority or 2) Higher on the chain, taking precedence only by rule order.

For more than 2 gateways, there are many different variables in play that would make two gateways possible. If the two gateways are 2 different WAN facing connections then only one would be allowed to be active at once. Both being up would cause a route conflict. To overcome this, you may use dynamic routing such as OSPF to failover to the secondary tunnel\secondary ISP and tear down the primary.

In summary, unless you absolutely have to build it way in your question. I would recommend a single L3 device that manages your VPN tunnel with only 1 gateway. This way is the most streamlined, least amount of moving parts, and simplest configuration possible.

Arlion
  • 590
  • 1
  • 4
  • 17
  • Arlion: IPsec is _not_ redundant with L2TP. In fact, most L2TP deployments use IPsec, because L2TP includes no encryption or authentication. – SRobertJames Jun 25 '15 at 02:53
  • L2, although not "officially" for routing, effectively does transparent routing when functioning as a learning bridge. This is the beauty of Catalyst, why Cisco bought them way back when, now it is commonplace. – SRobertJames Jun 25 '15 at 02:56