Solved: Re: Creatinag a L3 VPN, but in a L2 environment

amalitol81 · ‎03-13-2019

Guys,

I have an interesting challenge I consider is interesting, at least for me.

I have 2 FWs connected trought a L2 network. This L2 networks is shared by our Campus and the DR-site and use a third party provider between these two sites. The thing is that we want to encrypt the inbound/outbound data between this two sites. We are talking about a 10G link.

I know we can use a Ethernet encryptor device. But, that means spend some extra cash.

Creating a IPsec VPN between the two sites would be considered but, that sounds weird for me. Maybe that could be a possibility, and I don't see any technical inconvenience on this configuration. But I would like to know guys if somebody have had the same issue and what about pros and cons.

Thank you in advance to all you guys,

Attached the diagram.

Rob Ingram · ‎03-13-2019

Hi,

MACSec is IEEE standard, not cisco proprietary, so you could check your model of HPE hardware and check to see if it supports it. 802.1x and RADIUS I believe should not be required.

Alternatively you could use L2TP over IPSec, example here.

HTH

View solution in original post

balaji.bandi · ‎03-13-2019

what Switches these are ? check the model and see they support MACSEC ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

amalitol81 · ‎03-13-2019

It's an interesting topic, but MACSec will carry on the configuration of a RADIUS server and 802.1x on each SW, at least you use "cts manual" on each interface of the LINK between the two sites.

To allows that I will need a sort of module/license from Cisco. In my case I have a N9K on one site and an HPE on the other site. What if MACSec is not possible?

Thank you,

Rob Ingram · ‎03-13-2019

Hi,

MACSec is IEEE standard, not cisco proprietary, so you could check your model of HPE hardware and check to see if it supports it. 802.1x and RADIUS I believe should not be required.

Alternatively you could use L2TP over IPSec, example here.

HTH

amalitol81 · ‎03-14-2019

Interesting solution.

But here I don't know how to demonstrate it's not possible technicality creating the VPN between the two firewalls in a L2 environment. I know it is a matter of concept. But how can I explain that, if I could go to the FW a physically create the VPN between them ? They want the IPSec VPN.

amalitol81 · ‎03-14-2019

Guys, I just realized.

This is not possible even when you can move forward in the VPN configuration Wizard (I click the final button of the wizard).

If I create a VPN over a L2 path between two hosts is kind of create another interface over the L3 interface that is already on it. Traffic that should go through the VPN will never take that path. There is an ARP table before that. So, that would never work !!!

That was the explanation I needed.

I will consider MACsec of L2TPv3. Thank you guys !!!

tcmckay · ‎03-11-2020

I have a L3 Site to Site VPN between Corp and Branch office. ASA 5508x on one end and FTD 2130 on the other. This works and allows all Branch site traffic to traverse the Corp network through the use of policies. This is a pretty simple solution and works well as long as the links are up.