HELP: Possible to do LAN bridging over IPSEC VPN (using ADSL)?

Hello all,

Let me start right off by stating that I am no Cisco internetworking
expert so please forgive my ignorance and feel free to point out the
error of my ways ...

We have a remote DR site that in an emergency situation we want to LAN
bridge to using an IPSEC VPN over ADSL links at either end. Proposed
hardware is Cisco 1720 one end and a 2500(?) the other end (with all
Ethernet interfaces), with external ADSL modems at either end also,
although as I understand it there is an ADSL WIC card that would allow
a direct ADSL connection to the routers (is there any benefit?).

I'm relatively confident of setting up the IPSEC tunnel (done it on
non-Cisco kit) but as for the transparent LAN bridging then I'm into
the unknown. From what I've read you can group interfaces into
bridge groups, and this seems all well and good, but leads me to ask
would an IPSEC VPN present itself as an 'interface' that can be used
in a bridge group? If it does then am I home-free?

I realise that setting up 2 seperate routable networks at either end
would be another solution, but that would be a major headache - with a
LAN bridge then the transition to the DR site would be seamless.

All help and guidance gratefully received.

Jason

 

Bad thing is, it doesn't. On Cisco gear, IPsec is established using
crypto maps and access lists, there is no interface-style configuration
for it. It's arguable whether this is a good idea or not, but it is to
some extend what IPsec was actually thought to be originally - a trans-
parent layer *within* IP. As IPsec is only tunneling IP, it cannot
constitute a full featured *L2* interface anyway (as you would need for
bridging).

The obvious solution is to establish any kind of tunnel that is able
to work on top of IP (like GRE or L2TP or something like that) *through*
the VPN. If the tunnel is able to do transparent bridging (I'm not sure
with GRE, but L2TP is based on PPP which has a BridgeCP), you have it.

 

Well, I guess the real question is why? What is wrong with a standard vpn
tunnel and routing? Do you need broadcasts for some reason?

Anyway, I think the answer to your question is that it depends how you set
it up. There are different was to create a vpn tunnel on cisco. Rather
than creating a crypto map and applying it to an interface, you can create a
tunnel interface and apply an ipsec profile to it. Do a search on Cisco for
mGRE. It is a newer method of creating dynamic gre networks and it works
well. That would give you the interface that you need. I'm weak on LAN
bridging too, so not much help there. But, hopefully I helped with the
interface part of it.

Jim

 

Andre - thanks for clarify that in my mind - after I wrote this I
realised that there was inherently a problem with using IPSec (Layer
3) to do LAN bridging (layer 2) ...

Good solution - had a look at GRE; as you say, not sure it can be
done. L2TP sounds like the way to go ... any pointers on how to
configure it under IOS?

Jason Dinsdale

 

I've never done anything remotely like that, so I can't plug in much hints
here. In such cases, I'm usually doing two things:

1) Go www.cisco.com, enter the terms in question at the search prompt,
and scan/read a bit through what comes out, collecting buzzwords and
trying to get a scheme.
2) Go to Products/IOS Software/Release 12.x/Config Guides/... and look
for the guide that most likely will have it. Print and have a nice
read...

Sometimes you're the lucky one, finding a TAC approved recipe for exactly
what you were searching instantly upon 1). Just give it a try.

 

I was hoping of course that you might just be able to throw something
out 'off the top of you head' so to speak! Thanks for the help in
sanity-checking what I'm trying to do - much appreciated.

Jason