Site to site VPN with vLANs

Jimmy9008

Hi folks,

I have a few switch stacks here. vLAN1/default is set to have a gateway of 172.16.0.1, which is an ASA. The box has some site-to-site VPNs setup.

From the default LAN/vLAN1, I can ping/communicate with devices on the other end of the VPN.

Interface 5 of the ASA is vLAN10, this is 10.4.0.1. Any device on that network is unable to communicate over the VPN, but the ASA is set to allow this traffic from 10.4.x.x as far as I can see...

Could it be a vLAN issue? If vLAN10 traffic is going over the VPN, does the other end need to also be set for vLAN10 to allow that on the remote LAN? Or, as its routed, would the vLAN information in the traffic be irreverent from the 10.4.0.1 gateway out?

Best,
Jim

dafyre

@Jimmy9008 said in Site to site VPN with vLANs:

Hi folks,

I have a few switch stacks here. vLAN1/default is set to have a gateway of 172.16.0.1, which is an ASA. The box has some site-to-site VPNs setup.

From the default LAN/vLAN1, I can ping/communicate with devices on the other end of the VPN.

Interface 5 of the ASA is vLAN10, this is 10.4.0.1. Any device on that network is unable to communicate over the VPN, but the ASA is set to allow this traffic from 10.4.x.x as far as I can see...

Could it be a vLAN issue? If vLAN10 traffic is going over the VPN, does the other end need to also be set for vLAN10 to allow that on the remote LAN? Or, as its routed, would the vLAN information in the traffic be irreverent from the 10.4.0.1 gateway out?

Best,
Jim

Does the other side of the VPN know how to get back to 10.4.0.0?

Jimmy9008

@dafyre said in Site to site VPN with vLANs:

@Jimmy9008 said in Site to site VPN with vLANs:

Hi folks,

I have a few switch stacks here. vLAN1/default is set to have a gateway of 172.16.0.1, which is an ASA. The box has some site-to-site VPNs setup.

From the default LAN/vLAN1, I can ping/communicate with devices on the other end of the VPN.

Interface 5 of the ASA is vLAN10, this is 10.4.0.1. Any device on that network is unable to communicate over the VPN, but the ASA is set to allow this traffic from 10.4.x.x as far as I can see...

Could it be a vLAN issue? If vLAN10 traffic is going over the VPN, does the other end need to also be set for vLAN10 to allow that on the remote LAN? Or, as its routed, would the vLAN information in the traffic be irreverent from the 10.4.0.1 gateway out?

Best,
Jim

Does the other side of the VPN know how to get back to 10.4.0.0?

I'll have a look. So, the other end is 10.2.0.1, do I need to add a route in that ASA to say 10.4.x.x -> route out 10.2.x.x?

dafyre

@Jimmy9008 said in Site to site VPN with vLANs:

@dafyre said in Site to site VPN with vLANs:

@Jimmy9008 said in Site to site VPN with vLANs:

Hi folks,

I have a few switch stacks here. vLAN1/default is set to have a gateway of 172.16.0.1, which is an ASA. The box has some site-to-site VPNs setup.

From the default LAN/vLAN1, I can ping/communicate with devices on the other end of the VPN.

Interface 5 of the ASA is vLAN10, this is 10.4.0.1. Any device on that network is unable to communicate over the VPN, but the ASA is set to allow this traffic from 10.4.x.x as far as I can see...

Could it be a vLAN issue? If vLAN10 traffic is going over the VPN, does the other end need to also be set for vLAN10 to allow that on the remote LAN? Or, as its routed, would the vLAN information in the traffic be irreverent from the 10.4.0.1 gateway out?

Best,
Jim

Does the other side of the VPN know how to get back to 10.4.0.0?

I'll have a look. So, the other end is 10.2.0.1, do I need to add a route in that ASA to say 10.4.x.x -> route out 10.2.x.x?

Yeah, that'd be a good starting point. Just remember that you gotta do the opposite on the other side... 10.2.x.x -> 10.4.x.x

dbeato

You need to ad the additional network even if VLAN to the Site to Site VPN destination networks. Otherwise having rules will not make a difference.

JaredBusch

Correct. You have to have routing to make this work.

Every router OS implements it differently.

Hell the EdgeRouter does it multiple ways if you need to.

A basic IPSEC tunnel where you simply specify the local and remote subnet, one pair per tunnel (each IPSEC connection can have more than one tunnel pair). Or a more advanced vti interface where you put in specific routes.