VPN for trunked traffic (is it possible?): Detailed question

break

I have a very specific question about whether or not method of configuration is possible, and if so, where should I start. My intention is to connect two 5505 ASAs as though they are part of the same network. Diagrams:

Below is what I know how to do:



This is how I intend to set it up:

Where "trunk that I would like..." means traffic that is VLAN tagged being transported and then coming out the other side and going to the correct vlan.



Basically I'm not sure how to do this. I have subnets set up for the VLANs but I'm not sure how to VPN between the sites. I was thinking I'd do something like:

10.0.0.1 /30 on one side
10.0.0.2 /30 on the other side

Say i have 10.1.0.0 /16 for vlan 1 and 10.2.0.0 /16 for vlan 2. Trying to figure out how I can make example device 1 (10.2.0.1 /16) talk with example device 2 (10.2.0.2 /16) on the other side.

ASA1:

int e0/1
no switchport
ip address 10.0.0.1 255.255.255.252
ip access-group xx in
ip access-group yy out

Object-group outside xxxx
Object-group inside xxxx

access-list Outside_cryptomap extended permit ip object-group Outside object-group Inside

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto map Outside_map1 1 match address Outside_cryptomap
crypto map Outside_map1 1 set pfs group5
crypto map Outside_map1 1 set peer ASA2
crypto map Outside_map1 1 set transform-set ESP-AES-256-SHA

crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5

ip classless
ip route 0.0.0.0 0.0.0.0 10.0.0.1


ASA2:

int e0/2
no switchport
ip address 10.0.0.2 255.255.255.252
ip access-group xx in
ip access-group yy out

Object-group outside xxxx
Object-group inside xxxx

access-list Outside_cryptomap extended permit ip object-group Outside object-group Inside

crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac

crypto map Outside_map1 1 match address Outside_cryptomap
crypto map Outside_map1 1 set pfs group5
crypto map Outside_map1 1 set peer ASA1
crypto map Outside_map1 1 set transform-set ESP-AES-256-SHA

crypto isakmp policy 10
authentication pre-share
encryption aes-256
hash sha
group 5
lifetime 86400

ip classless
ip route 0.0.0.0 0.0.0.0 10.0.0.2

---

Does this seem like i'm headed the right direction?

Jackace

From what you have said I take it you want vlans on one side of the network to match up with vlans on the other side of the network and everything to appear as a flat layer 2 network, is this correct? If so an IPSec VPN is not what you want to use. IPSec VPNs are used to tunnel layer 3 traffic (network to network) and vlans are layer 2. If you want to tunnel vlans you will have to look into stuff like L2TP, MPLS L2VPNs, and if you have the gear for it OTV.

One of the problems I see on your diagram is you have the connections from the layer 3 switches to the ASA 5505s as routed. If that is truly layer 3 connection then nothing you do on the ASA will pass the vlan information from one side of the network to the other because the layer 3 switch is not passing that information to the ASA on the routed connection. The second problem I see is the ASA doesn't support any of the technologies I listed above.

IMO, with your hardware, you are better off just doing a normal IPSec VPN. Unless you have some application or specific need for end to end vlans that would be my recommendation. If you truly need end to end layer 2 then you will have to look at different hardware.