Is it possible to extend the local VLANs to a Remote site connected by IPSEC VPN
No, per definition. IpSec is an IP level security tunnel. Vlans are ethernet level.
can we have many VPN tunnels between the ASAs
Yes. This is a maintenance nightmare if it gets too much and is not automated in management, but it is possible.
if not any other options/combinations available?
If you put up an ethernet tunnel between them - not sure this is possible - you can then use the "normal" VLAN packets.
http://www.cisco.com/en/US/docs/ios-xml/ios/interface/configuration/xe-3s/ir-eogre.html
has some information, though I am not sure this works on the 1841. But this would allow you to basically send ethernet frames with VLAN information embedded.
Alternatively a multi routing table setup may work - depends on WHY you have VLANS in the first place. or something based on MPLS - VPLS. The 1841 does not talk that one though.
More professional routers may allow something like NVGRE for that purpose. Well, not exactly professional - but the 1841 is more an edge level router not something to use in the core.
It seems that the 1841 can do VPLS - that would work best then. Requires you to configure a MPLS setup.
Main problem answering is that a lot of the choices depends on what you actually try to do from a business point of view and how much control you have over the routers at each endpoint.
I had this same situation and fixed it by doing adding the policy from the SSL.vpn interface to the IPsec tunnel interface and then from the IPsec tunnel interface back to the SSL.vpn interface. The issue is what interfaces the traffic is allowed on. It will not hairpin to an interface that is not defined in a policy.
Best Answer
You need to configure two phase 1s (and two phase 2s), one for each WAN interface on your 200B. On the secondary/backup tunnel, configure
monitor
, as described in the Fortigate cookbook. Reasoning is also there... to summarize, this allows a tunnel to monitor another tunnel and bring itself up when the other tunnel goes down (dead peer detection must also be enabled). You might want to set themonitor-hold-delay
to something fairly high, to allow you to follow up with your primary ISP and make sure that primary connection isn't flapping. You can be alerted of the change by configuring email alerting, snmptrap monitoring, or use something like Gateway IP Monitor (I actually have all three configured).Also, consider your routing needs. Are both interfaces configured via DHCP or PPPoE (but with static addresses)? Do you have ECMP and static routes?
I want to also make the suggestion of creating DNS failover, if you have an internal DNS server. I've covered this in a blog post.
If you ever need to NAT your IPsec packets themselves (to an address other than that bound to the egress interface):
Sorry to include this extra bit of info, but I had a hell of a time figuring it out.