I'd like to set up site-to-site IPsec in bridged mode: that is, where the hosts in each site don't need to be modified to use the IPsec gateway, but the IPsec gateway acts as a pseudowire.
My plan to do this is:
- Set up host-to-host IPsec on each gw
- Set up L2TP (over IPsec) btwn each gw
- Bridge the eth0 and the lt2p-eth on each gw
After that, any Layer 2 packets that reach eth0 of any gw should automatically be tunneled (L2TP) securely (IPsec) to the other gateways.
Is this correct? Is this the recommended approach?
Also: How do I do this for > 2 gateways? Does each gateway need both an IPsec SA and a L2TP tunnel with every other gw? Ideally, I'd like to make it so that gw's don't need explicit knowledge of every other individual gw, but I can't find a reliable or even standard way to do so.
Best Answer
It is my personal experience that this is possible but not recommended. In fact, I want to communicate to you that you should never ever use this configuration. Let me explain
Layer 2 bridge mode is intended to not make any routing decisions, IPSEC VPNs require routing in order to be move the packets over the VPN. In fact, a host machine never knows what is passed beyond it's own gateway. It sends all traffic to the gateway (unless in the same subnet) and the gateway performs all the routing for the host. The host is never aware of anything more from that point. Layer 2 routing is done with MAC addresses. To perform layer 2 routing you must know all the MAC addresses in order to move them in a another direction.
In a network configuration, the hosts do not know they are going over the VPN tunnel and the tunneling is performed ""automatically"" without the knowledge of the host computer.
Getting back on topic. L2TP and IPSEC would be redundant. You do not want to perform both as your device will want to choose one or other, causing a routing conflict. You would not be able to force L2TP over the VPN tunnel. When both tunnels your router would have to make a decision which to go over. This would probally be determined by which routes were 1) higher priority or 2) Higher on the chain, taking precedence only by rule order.
For more than 2 gateways, there are many different variables in play that would make two gateways possible. If the two gateways are 2 different WAN facing connections then only one would be allowed to be active at once. Both being up would cause a route conflict. To overcome this, you may use dynamic routing such as OSPF to failover to the secondary tunnel\secondary ISP and tear down the primary.
In summary, unless you absolutely have to build it way in your question. I would recommend a single L3 device that manages your VPN tunnel with only 1 gateway. This way is the most streamlined, least amount of moving parts, and simplest configuration possible.