For some organizations with many distributed remote offices (or branches, or retail outlets, such as retail chain or F&B companies), the remote networks are usually connected back to HQ network via layer 3 IP networks, either through public Internet, MPLS, or private leased-line etc. But sometimes it may be desirable to connect remote sites "seamlessly", as if the sites are directly connected via an Ethernet cable and sit in the same layer-2 Ethernet network (eg. emulated Metro-E backbone network).

There are a few options to achieve such objective. 

1. Some service providers offer Metro-Ethernet service, which can be expensive.

2. Another option is to use L2TPv3 tunneling to connect remote sites over Layer3 IP networks (eg. public Internet). This can be a very cost-effective alternative. mbox products support such feature (see more details here). 

3. However, L2TPv3 is a site-to-site tunnel that requires both end points to have static IP addresses, which may not always be feasible. For example, many small remote outlets typically subscribe to cheaper dynamic Internet lines, and they may even connect over mobile backhaul (3G/LTE), or a combination of both for redundancy. In such scenarios, running "Ethernet over SSLVPN" will offer such flexibility, using HSA together with CMG across any type of ISP networks.

To achieve "Ethernet over SSLVPN", we will use a few built-in features from mbox CMG and HSA product families:

1. SSLVPN, to allow remote sites to connect back to HQ using either static or dynamic IP lines (or even from behind a firewall). See more details.

2. Multi-WAN, to provide redundancy for ISP links. Especially HSA-500-L2 comes with dual LTE support, and we can make use of Multi-WAN for bonding and auto failover. See more on Multi-WAN, and learn how to configure Multi-WAN on HSA here.

3. Ethernet bridging, to bridge SSLVPN tap tunnels with CMG & HSA LAN interfaces, so the layer2 Ethernet networks are extended across IP SSLVPN tunnels, as if there're connected via an Ethernet cable. See more on Ethernet bridging.

In this section, we're going to use CMG and HSA to demonstrate this feature.

A few key points to NOTE:

1. SSLVPN must run in tap mode (layer 2 tunnel)

2. Only one network (or one VLAN) per VPN instance is supported. Each VPN instance/tab bridges with one Ethernet segment.

3. If you need to support multiple VLANs, eg. multiple Ethernet segments across IP, you can run multiple instances of SSLVPN on both CMG and HSA, with each tap (instance of VPN) bridged to its respective VLAN. Alternatively, you can use L2TPv3 tunnel (one tunnel trunking for multiple VLANs).

4. On CMG, assign tap and eth1 (LAN) in the same bridge group

5. On HSA, assign tap interface to br-lan bridge.

6. (optional) assign VPN tunnel pool to tap interfaces. It's not necessary to assign IP addresses to tap interfaces, since the tap interfaces are like virtual "Ethernet" cables. But optionally you may want to do that, so that you can ping the tap interfaces between HSA and CMG for connectivity tests only. 

7. (optional) configure Multi-WAN on HSA for link redundancy.

CLI CONFIG ON CMG (VPN Server)

-------------------------------------------------

CLI CONFIG ON HSA (VPN Client)

-------------------------------------------------

Step 1: configure LTE settings, configure tap interface and assign to firewall zone "lan"

Step 2: configure MWAN for link fail-over across dual LTE (more details)

Step 3: configure CLI and import VPN profile (more details)

Step 4: configure tap, lan interface, and assign both interface to lan firewall zone  (more details on similar config)

TROUBLESHOOTING COMMANDS (CMG)

-------------------------------------------------

TROUBLESHOOTING COMMANDS (HSA)

use tcpdump on tap interfaces to make sure traffic is passing through tap

You can download attached sample backup config for testing. Please remember to change SSLVPN profile to your actual CMG vpn profile.

watch it on youtube