Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1152
Views
0
Helpful
7
Replies

VPN connection. Can I do it with a 3 layer tunnel protocol?

julianov403
Level 1
Level 1

‎11-04-2017 02:55 PM - edited ‎03-12-2019 04:42 AM

Hello All. 

 

I need to establish a VPN network, a point to multipoint where there is a main router which implements the server and through the public network, the host can connect to it. 

 

Well, I thought to implement just an IPsec in tunnel mode in the router with Cisco VPN client running on the host. But, what I want is when someone configures the VPN client, setting the router public IP (that is the endpoint tunnel) and the DHCP server which is running behind the router (in the main LAN) gives to that host an IP and in that ways, I make an extension of the LAN. 

 

Is it possible to do that with IPsec in tunnel mode? or I need a 2 layer tunnel protocol for that? like L2TP or EoIP. Because if the DHCP server is going to give the IP (a private IP) to that remote host which is trying to establish the VPN connection there must be ARP package flow. 

 

I'm seeing in the VPN client, in the tab transport, there is a setting which is "Allow Local LAN Access? it's what I mean?? 

 

Why I don't want to use a layer 2 tunnel protocol, well because there are a bigger package size and the firewall problems, etc. 

 

 

Labels:
0 Helpful
7 Replies 7

Flavio Miranda
VIP
VIP

‎11-04-2017 03:44 PM

Hi @julianov403

Not sure it what you need actually exist already. As per your description, looks like you need a regular Client_to_Site VPN but at the sametime you need a EoGRE to extend layer 2 cababilities.

 About the DHCP, this is not an issue even for Client VPN like anyconnect. As soon as the tunnel is established, you can get DHCP from remote site. You can get even more then DHCP (DNS, domain,etc). But, you can not, as far as I know, extend the Lan using tihs process.

 EoGRE allows you to extend Layer 2 to a remote site, however, you need support for this on the remote end. If you are using a PC or server, this will not be possible.

 However, I believe that EoGRE comes closer to what you intend to

 

 

-If I helped you somehow, please, rate it as useful.-. 

 

 

 

 

0 Helpful

julianov403
Level 1
Level 1
In response to Flavio Miranda

‎11-04-2017 04:20 PM

thank you very much for the reply. and Exactly EoGRE or L2TP are layer 2 encapsulation but I'm not sure if I want that. If I implement that one's protocols the tunnel endpoints would share layer two packages, like ARP or vlans. But until now I don't implement VLANs.

 

What I need and please watches that there is a LAN which has a PBX, so an external host connected to the public network can share signaling packages, SIP, to it. So that there is the need for a VPN. Also, the LAN has a DHCP server and I want that the external host which has a public IP gets a private IP from that DHCP server, so virtually the host will be in the network. But the external host must get an IP from the DHCP server it can't be set by the user.

 

0 Helpful

Flavio Miranda
VIP
VIP
In response to julianov403

‎11-04-2017 04:59 PM

So, basically you are talking about a Voip network ? You have a BPX on the LAN network with  DHCP server and you want the Phones to join the BPX and get an IP address from the DHCP ?

 

0 Helpful

julianov403
Level 1
Level 1
In response to Flavio Miranda

‎11-04-2017 05:48 PM

Yes, I want that the remote softphones which are connected to the public network (not in the lan) get a private IP from a DHCP server which is in the lan and it establishes a tunnel encrypted. As it's encrypted I will have to use IPsec. But I'm not sure if with an IPsec in tunnel mode the remote host can get a private ip, which will be in the inner IP header, after the ESP header. In the external IP header will be the public IPs. 

0 Helpful

Flavio Miranda
VIP
VIP
In response to julianov403

‎11-04-2017 05:57 PM

I think this is possible. Although I don't know which PBX your are intending to use but I'd go with pure Asterisk and snow hardware IP phone which has a built in openVPN on it.

You can take a look here for your reference.

http://wiki.snom.com/Networking/Virtual_Private_Network_(VPN)#VPN_and_Debian

-If I helped you somehow, please, rate it as useful.-

 

0 Helpful

julianov403
Level 1
Level 1
In response to Flavio Miranda

‎11-04-2017 06:13 PM

But if the VPN is implemented on the PBX it will be just for the signaling packages, not for the RTP packages. 

0 Helpful

Flavio Miranda
VIP
VIP
In response to julianov403

‎11-04-2017 06:21 PM

Where did you hear that. As long as an IP phone is able to establish IP sec tunnel this is supposed to Carrie any traffic to permit voice communication.

 On the PBX side it the same. I don't see any issue on it and as far as I know Asterisk, it is possible for sure. 

 

-If I helped you somehow, please, rate it as useful.-

0 Helpful
Customers Also Viewed These Support Documents