Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 10 replies
  • Answers 1 answer
  • Subscribers 3 subscribers
  • Views 40854 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

VLAN over VPN, is it possible?

^-^Neko
Dear experts,

We have a local LAN connected remotely using an IPsec VPN...

Since we are using windows clustering service, we need to create the heartbeat interface
to be transparently connected. We would like to establish a VLAN between the two sites.

On both sites, the Astaro is on a Virtual Machine (ESXi) with the INTEL/Pro NIC.

Is it actually possible to establish a VLAN going thru the VPN?

Thanks a lot!
Neko


This thread was automatically locked due to age.
  • 0
    I've never heard of this before, but apparently there is such a thing as 802.1Q tunneling.

    You could make a request for this at Astaro Gateway Feature Requests

    Do note however than you CAN have multiple networks on one tunnel with Astaro IPSEC VPNs; I would think that would be all you would need.

    Barry
  • 0 in reply to BarryG

    Hello this is my topology.  The connection between Site 1 and Site 2 is IPsec VPN

    How to do so that clients from Site 2 be able to access the file server in Site 1 network? File server is in VLAN 130. 

    In network Site 2 not defined VLAN. I use 2 device Sophos XG Firewall

    How can I do to VLANs over Ipsec Site-to-Site VPN

  • 0 in reply to StilianLazarov

    Hi Stilian,

    There is no need to do VLANs over an IPsec tunnel.  In fact, VLANs are at Layer 2 and cannot be passed through an IPsec tunnel.

    All you need is to properly define the tunnel on both sides without worrying that there's a VLAN on one side.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,

    he's talking about heartbeat. That musst be in the same VLAN (as I know). 

    An other way would be an UTM-RED-Tunnel. Here you can transmit VLANs over VPN. But I'm not familiar with the XG series and if there it is also possible to build UTM-RED tunnels.

    Viele Grüße / Best Regards,
    Manu

    - CISO -
    - Sophos SCA & Partner-

  • 0 in reply to ManuelAbeledo

    Manu nailed it.  I read right past the heartbeat issue.  A RED is a Remote Ethernet Device - like having a long cable connected.  I also don't know if RED is supported on XG.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Neko, I think your issue is better placed in the XG Firewall forum. There are the geeks for what is possible with the XG and what not ;-).

    BTW for all other readers here: it is also possible to build RED-tunnels between two UTMs. So we manage two of our branch offices with only MPLS to the headquarter and can build new networks without to ask the provider everytime to route them over MPLS.

    Viele Grüße / Best Regards,
    Manu

    - CISO -
    - Sophos SCA & Partner-

  • 0

    H Neko,

    From my understanding, it should work as IPSec will just add its header for encryption and authentication to the packet. I guess simply defining the local and remote network in the IPSec policy and a static route to reach the VLAN from the UTM should do the job. I have never come across such scenario so it will be interesting to know if that works.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    Sachin, if you check with the developers, I think they will tell you that the UTM strips the VLAN tag upon receiving the packet.  It adds the tag to a packet leaving via a VLAN Interface.  Let us know.

    Cheers - Bob
    PS Can the XG do RED tunnels?

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,

    Even if the VLAN tag is stripped off from the packet, the UTM will still forward it on the basis of destination IP address/network on Layer 3. When the receiving UTM see's a packet for VLAN network it will add the tag and forward thorugh the respective interface. I think defining the remote and local network in the IPSec policy, should do the job.

    Let's await reply from Neko once he test's this scenario.

    Yes, XG do RED tunnels.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • 0 in reply to sachingurung

    Hi all,

    I've spoken today with our windows geek in our admin-team. The windows cluster works with multicast heartbeat. So perhaps it is possible to resolve it via multicast routing.

    But now that we know that XG also do RED tunnels, I think it would be easier to realize it with a RED tunnel.

    Viele Grüße / Best Regards,
    Manu

    - CISO -
    - Sophos SCA & Partner-

Unfiltered HTML