Ok.. that's great ciscomax  

Here's another twist on this requirement I have to throw a spanner in the works.

See topology below....

I actually need a workstation running RA (client-to-site) VPN (i.e. AnyConnect) to a head-end (ASA ?) in the 'DC' to have this L2 extension... down to a 'Location #' site.

I.e. in the example above.  Location C.

So, workstation RA's to DC, and the workstation's MAC address/L2 to be maintained and not lost in the first RA VPN leg, and then to continue down the IPsec site-to-site between DC and Location C.

I think the latter VPN leg (is the L2TPv3 over IPsec).. but what about maintaining the MAC of the workstation/L2 extending the first VPN leg ?

Penny for your thoughts/advice.....

Hm, I'd say this only works when Location C is the VPN headend for the remote user. 

But for a setup like your topology I'd definately go for different subnets and clear routing, e.g. with DMVPN.

Double hmm.. :)

a. Which can't happen as Location C is Cisco 800 series and can't terminate RA

b. I HAVE TO get an L2 extension.. because the devices down in  Location C are from process control/industrial sector land and have a weird way of being re-provisioned post a factory reset or hardware replacement.. They need to see a MAC that the workstation will fire (would be nice if they went back to a default IP address and I can reach it over a broadcast domain boundary.. but unfortunately.. not the case)..

Hence my aggression in trying to get an L2 extension from the workstation.

Follow ?

Ok, and what is the traffic direction? FROM client TO device in C? Then you could do a NAT on the internal IF on C, so it's the same network?

Hang on.. You've lost me.

Isn't the tricky part of L2 transparency in the first part.. the RA leg from Workstation to head-end/DC concentrator.

Post that.. I can extend L2 from DC to Location C with L2TPv3 over IPsec.. right ?

No I haven't, I'm trying to find another solution since it's quite complex what you're trying to achieve :) 

I'd try to avoid L2 extension if there are more the 2 locations.

But OK, when DC is a IOS router (not ASA), you could run a pseudowire to extend the LAN, also you *could* place the RA IP pool in the local LAN, but I'm not sure if this works, haven't tested it yet. 

My lab here is quite small :) 

Yeh but RA tunnel will lose MAC right ?

The L2 extension is only during occurrences of maintenance windows.. not permanently run..

I think.. It's best to just use a jumpbox in DC.. forget the workstation needing to RA to DC.  And that jumpbox in DC can have it's MAC/L2 extended just fine, with the LT2Pv3 over IPSEC the way you described in your blog post.. agreed ?

IOS router in DC and IOS routers in all the Location's.  When maintenance is required.. L2TPv3 is built.. do the maintenance.. then drop the tunnel.

IPSEC needs to be permanent however..

Nothing wrong with that true ?

Cannot get away from L2 extension.. requirement of the hardware... remember ?

If you have a local pool, the interface mac of the DC router will be the mac for the RA session. But with this setup the DC router is not allowed to have a IP address, perhaps you need a second router acting as a gateway. 

Like you described with jumpbox should work fine!

Yep, and the DC router is not running the software that the workstation is.. so having that MAC presented won't do anything..

Unless the router proxy-arp's on behalf of the workstation .. over the RA tunnel.. to the workstation ?

a. I don't know if that will work

b. I can't terminate RA VPN on IOS... right ?

Jump box it is .. one last confirmation from you would be handy :)

Then I'll park this thread.. :)

I also don't know if this works (L2TPv3 endpoint also terminating RA VPNs).

But surely, every IOS router can terminate RA VPNs (Cisco VPN, IKEv2, AnyConnect and even PPTP)

But surely, every IOS router can terminate RA VPNs (Cisco VPN, IKEv2, AnyConnect and even PPTP)

Whoops. My mistake.

http://www.cisco.com/c/en/us/products/collateral/routers/829-industrial-router/datasheet-c78-734981.html

Aka, the screenshot I've shown/text I've highlighted above correlates to what you mean ?

Means I need to just need to buy AnyConnect Plus licenses right ?

Ok, so I can RA concentrate/terminate on IOS with SSL VPN, AnyConnect by the looks of it.. But we're not sure whether L2TPv3 can be a VPN protocol on the 800 series for RA is what we're saying ?

AnyConnect is fine, yes. With v3 of AnyConnect you even don't need a license for the beginning, but I really unsure to terminate RA VPNs *AND* L2TPv3 on the same machine!

'Machine' being the IOS 800 series ? or you mean Microsoft Windows Workstation ?