ScreenOS Firewalls (NOT SRX)
ScreenOS Firewalls (NOT SRX)

How to Extend LAN over VPN?

[ Edited ]
01.13.10   |  
‎01-13-2010 11:23 PM

Is it possible to extend a LAN across a VPN?

 

Thank You!

Cameron

Attachments

5 REPLIES
ScreenOS Firewalls (NOT SRX)

Re: How to Extend LAN over VPN?

04.05.10   |  
‎04-05-2010 10:02 PM

do you mean at layer 2/datalink...site to site vpns can extend over layer 3 networks

ScreenOS Firewalls (NOT SRX)

Re: How to Extend LAN over VPN?

06.28.10   |  
‎06-28-2010 09:58 AM

 

1.) VLAN/Subnet (extend the same IP subnet across two distinct sides of a VPN tunnel, (for instance 192.168.1.0/24 exists at both sides of the VPN.)  I have not seen a solution for this functionality.

 

2.) DHCP or BOOTP across VPN.  That is possible using a ip helper or DHCP forwarder.  Works perfectly.

 

3.) Multicast.  Netscreen does not support Dense mode, which makes my multicast needs very unrealistic over a VPN Tunnel.  It is possible to use PIM - Protocol Independant Multicast across the VPN, but specific Multicast Routes and specific Mulitcast Policies are required, making it next to impossible for my configuration. 

 

ScreenOS Firewalls (NOT SRX)

Re: How to Extend LAN over VPN?

06.29.10   |  
‎06-29-2010 07:36 PM

Hi,

 

Yes, you can using NAT to address overlapping subnets over a VPN.  The C&E guide has a few examples.

 

-John

John Judge
JNCIS-SEC, JNCIS-ENT,

If this solves your problem, please mark this post as "Accepted Solution". Kudos are appreciated.
ScreenOS Firewalls (NOT SRX)

Re: How to Extend LAN over VPN?

06.30.10   |  
‎06-30-2010 12:55 AM

Hi,

 

I do recommend to change addressing, otherwise you get a permanent source of problems and lose the overview (f.e. where is the DHCP-assigned 192.168.1.x now?). Besides, the arp-q's and arp-r's cannot be transported over the VPN.

 

Using NAT, as recommended by John, will help you to make a clean migration. And you can still use ip helper and DHCP forwarder.

 

You do not need PIM to transport multicast between two SSGs over  VPN. IGMP Proxy functionality is very good documented in the C&E (Routing). Tunnel interfaces can function as IGMP Proxies, both in Host and Router mode. But you need a Multicast policy that enables IGMP transport over VPN.

 

Kind regards,

Edouard

Kind regards,
Edouard
ScreenOS Firewalls (NOT SRX)

Re: How to Extend LAN over VPN?

[ Edited ]
07.07.10   |  
‎07-07-2010 10:40 AM

Have you looked into VPLS? (can't do w/ screenos)

JNCIS-ES
JNCIS-FWV
JNCIA-WX
JNCIA-SSL
JNCIA-UAC;
JNCIA-EX
JNCIA-IDP
Juniper Elite Partner Enterprise Solutions Provider & Service Provider Infrastructure
Operate & Implement Specialist
www.novadatacom.com

Hit the Kudos button if my info helps. Smiley Happy
and if this worked for you please flag my post as an "Accepted Solution" so others can benefit.