do you mean at layer 2/datalink...site to site vpns can extend over layer 3 networks

1.) VLAN/Subnet (extend the same IP subnet across two distinct sides of a VPN tunnel, (for instance 192.168.1.0/24 exists at both sides of the VPN.)  I have not seen a solution for this functionality.

2.) DHCP or BOOTP across VPN.  That is possible using a ip helper or DHCP forwarder.  Works perfectly.

3.) Multicast.  Netscreen does not support Dense mode, which makes my multicast needs very unrealistic over a VPN Tunnel.  It is possible to use PIM - Protocol Independant Multicast across the VPN, but specific Multicast Routes and specific Mulitcast Policies are required, making it next to impossible for my configuration. 

Hi,

Yes, you can using NAT to address overlapping subnets over a VPN.  The C&E guide has a few examples.

-John

Hi,

I do recommend to change addressing, otherwise you get a permanent source of problems and lose the overview (f.e. where is the DHCP-assigned 192.168.1.x now?). Besides, the arp-q's and arp-r's cannot be transported over the VPN.

Using NAT, as recommended by John, will help you to make a clean migration. And you can still use ip helper and DHCP forwarder.

You do not need PIM to transport multicast between two SSGs over  VPN. IGMP Proxy functionality is very good documented in the C&E (Routing). Tunnel interfaces can function as IGMP Proxies, both in Host and Router mode. But you need a Multicast policy that enables IGMP transport over VPN.

Kind regards,

Edouard

Have you looked into VPLS? (can't do w/ screenos)

JNCIS-ES
JNCIS-FWV
JNCIA-WX
JNCIA-SSL
JNCIA-UAC;
JNCIA-EX
JNCIA-IDP
Juniper Elite Partner Enterprise Solutions Provider & Service Provider Infrastructure
Operate & Implement Specialist
www.novadatacom.com

Hit the Kudos button if my info helps.
and if this worked for you please flag my post as an "Accepted Solution" so others can benefit.