|reply to aryoba |
Re: Hosted VPN Solution - any ideas welcome!
Thats what I was thinking too.. Since its all L2.. My question though is, what IS the domain? is it a /16? where is it determined? The Address pool for the VPN is only a beginning address and end address...
From a different perspective, I would recommend virtual desktop solution instead of a simple remote IPSec VPN services. A remote IPSec VPN service is not really designed to be providing what you are aiming at since it was designed for a quick way to remote connect to data center or main office. A virtual desktop (i.e. from Citrix) on the other hand is designed to provide what you are aiming.
I think a citrix VDI solution is geared more towards giving virtual machines on a single network, not allowing your machine to join part of a virtual network... But thanks for your suggestion!
I still would like to know how the "domains" are split up.. could you help explains that part?
·Future Nine Corp..
I think ayroba alluded to a broadcast domain, whereas any member of a VLAN should be able to ping each other within the same VLAN if all hosts are using IP addresses from the same subnet.
There's no splitting up of a broadcast domain when it crosses a VPN tunnel AFAIK. In a tunnel, you have Network A, Network B, etc etc and a route between the two as determined by the routing table.
Right, I agree.. I think he was alluding to that too. My question was "where" that defined..? Is everything in one ISAKMP profile considered one vlan? So other profiles will create other vlans?
Ive realized that if I dont specify a router for the vlan that the IP Pool range is on, I cannot ping other hosts on the same IP pool. If I add an IP to the route-filter ACL, then I can reach other hosts. This only works with I see the router in my "router details" tab in the VPN client..
·Future Nine Corp..
With an ISAKMP profile, you reference an ACL that the assigned interface uses to forward interesting traffic through the tunnel. This ACL can specify one host or an entire subnet.
I suppose you can trick two tunnel endpoints to act as though it's bridging interesting traffic through the tunnel by using the same subnet on both ends, but I'd think that can cause issues with ARP.