I have a question about connecting two LANs (logically same LAN) over a VPN.
In picture below you can see overall representation of our implementation.
Description:
On each side, we have distinct sites with AAA servers (both servers share same base). We have 2 VLANs. For normal users (who can pass authentication) and guests.
Guests can only get to the Internet. Normal users can get to the Internet, and, if needed connect to co-workers at the other site.
So, an IPsec + NAT configuration should work well.
The main problem is outgoing IPsec packets from one router will be "stripped" on the site side of another router. How, in this situation, do we put this packet in VLAN 10 (for normal users) if we lose the VLAN tag information?
I hope I was clear in description of problem.
In short: How do we put packets, coming from IPsec, in VLAN 10 (for normal users), or is there any way to propagate a VLAN?
Best Answer
VLANs are layer-2 domains, and they end at a layer-3 boundary (router). A layer-2 frame is stripped from the layer-3 packet at the first router it encounters. When the layer-3 packet reaches the second router, a new layer-2 frame will encapsulate the packet for the VLAN of the destination subnet.