Ethernet over VPN

For some organizations with many distributed remote offices (or branches, or retail outlets, such as retail chain or F&B companies), the remote networks are usually connected back to HQ network via layer 3 IP networks, either through public Internet, MPLS, or private leased-line etc. But sometimes it may be desirable to connect remote sites "seamlessly", as if the sites are directly connected via an Ethernet cable and sit in the same layer-2 Ethernet network (eg. emulated Metro-E backbone network).

There are a few options to achieve such objective.

  1. Some service providers offer Metro-Ethernet service, which can be expensive.
  2. Another option is to use L2TPv3 tunneling to connect remote sites over Layer3 IP networks (eg. public Internet). This can be a very cost-effective alternative. mbox products support such feature (see more details here).
  3. However, L2TPv3 is a site-to-site tunnel that requires both end points to have static IP addresses, which may not always be feasible. For example, many small remote outlets typically subscribe to cheaper dynamic Internet lines, and they may even connect over mobile backhaul (3G/LTE), or a combination of both for redundancy. In such scenarios, running "Ethernet over SSLVPN" will offer such flexibility, using HSA together with CMG across any type of ISP networks.

To achieve "Ethernet over SSLVPN", we will use a few built-in features from mbox CMG and HSA product families:

  1. SSLVPN, to allow remote sites to connect back to HQ using either static or dynamic IP lines (or even from behind a firewall). See more details.
  2. Multi-WAN, to provide redundancy for ISP links. Especially HSA-500-L2 comes with dual LTE support, and we can make use of Multi-WAN for bonding and auto failover. See more on Multi-WAN, and learn how to configure Multi-WAN on HSA here.
  3. Ethernet bridging, to bridge SSLVPN tap tunnels with CMG & HSA LAN interfaces, so the layer2 Ethernet networks are extended across IP SSLVPN tunnels, as if there're connected via an Ethernet cable. See more on Ethernet bridging.

In this section, we're going to use CMG and HSA to demonstrate this feature.

A few key points to NOTE:

  1. SSLVPN must run in tap mode (layer 2 tunnel)
  2. Only one network (or one VLAN) per VPN instance is supported. Each VPN instance/tab bridges with one Ethernet segment.
  3. If you need to support multiple VLANs, eg. multiple Ethernet segments across IP, you can run multiple instances of SSLVPN on both CMG and HSA, with each tap (instance of VPN) bridged to its respective VLAN. Alternatively, you can use L2TPv3 tunnel (one tunnel trunking for multiple VLANs).
  4. On CMG, assign tap and eth1 (LAN) in the same bridge group
  5. On HSA, assign tap interface to br-lan bridge.
  6. (optional) assign VPN tunnel pool to tap interfaces. It's not necessary to assign IP addresses to tap interfaces, since the tap interfaces are like virtual "Ethernet" cables. But optionally you may want to do that, so that you can ping the tap interfaces between HSA and CMG for connectivity tests only.
  7. (optional) configure Multi-WAN on HSA for link redundancy.



!hostname CMG!interface eth0 description "to WAN/Internet" enable ip address!interface eth1 enable bridge-group 0!interface eth2 enable bridge-group 0!interface bridge 0 description "to LAN" enable ip address!ip dhcp-server start!ip default-gateway!security sslvpn-server 1 server address 1443 server tap-mode tap bridge-group 0 client ethernet-sslvpn start!firewall-input 010 permit all tcp dport 1443 remark "SSLVPN port"!firewall-access 10 permit all src 10 permit all dst!



Step 1: configure LTE settings, configure tap interface and assign to firewall zone "lan"

Step 2: configure MWAN for link fail-over across dual LTE (more details)

Step 3: configure CLI and import VPN profile (more details)

----------!hostname HSA!security sslvpn-client 1 tap bridge-group br-lan start!----------

Step 4: configure tap, lan interface, and assign both interface to lan firewall zone (more details on similar config)



CMG-ISP# show security sslvpn-server status 1Info: SSLVPN server 1 is running.CMG-ISP# CMG-ISP# show services tcp include 1443tcp 0 0* LISTEN <--check VPN service port is upCMG-ISP#CMG-ISP# show ip interface brief Interface IP_Address NetMask Broadcast MAC_Address --------------------------------------------------------------------------------br0 00:90:0B:34:B4:7Feth0 00:90:0B:34:B4:7Eeth1 NON-IP NON-IP NON-IP 00:90:0B:34:B4:7Feth2 NON-IP NON-IP NON-IP 00:90:0B:34:B4:80eth3 00:90:0B:34:B4:81lo 00:00:00:00:00:00tap1 NON-IP NON-IP NON-IP 06:B6:B4:A2:15:B5 <--check tap1 is createdCMG-ISP# CMG-ISP# show interface bridge br0 bridge name bridge id STP enabled interfacesbr0 8000.00900b34b47f no eth1 eth2 tap1 <--check tap1 is part of bridge with LAN portsCMG-ISP#


-------------------------------------------------mbox# show interface......22: br-lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default link/ether 1c:40:e8:04:38:38 brd ff:ff:ff:ff:ff:ff23: 3g-lte0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN mode DEFAULT group default qlen 3 link/ppp 24: 3g-lte1: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN mode DEFAULT group default qlen 3 link/ppp 25: tap1: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 100 link/ether 0a:07:60:16:52:92 brd ff:ff:ff:ff:ff:ffmbox# mbox# show interface bridge br-lanbridge name bridge id STP enabled interfacesbr-lan 7fff.1c40e8043838 no eth1 tap1 <--check tap1 is part of bridge with LAN portsmbox#

use tcpdump on tap interfaces to make sure traffic is passing through tap

You can download attached sample backup config for testing. Please remember to change SSLVPN profile to your actual CMG vpn profile.

watch it on youtube