About VPN Services

VPN Services consist of configurations for Layer 3 IPsec VPNs, used for communication between routers, and Layer 2 IPsec VPNs, used for communication between access points (APs).

Layer 3 IPsec VPNs

Layer 3 IPsec VPN tunnels securely send traffic between Extreme Networks routers and one or two Extreme Networks VGVAs (VPN Gateway Virtual Appliances). Each router functions as a VPN initiator and does a route look up to determine whether to send traffic from hosts in its sub-network through an IPsec tunnel to destinations in different subnets on the other side of the gateway, and which functions as a VPN terminator. When using a hub-and-spoke design, the destination might lie on the other side of a second tunnel that connects the Layer 3 VPN gateway to another router at a different remote site. ExtremeCloud IQ applies Layer 3 IPsec VPNs to routers and Layer 3 VPN gateways through a network policy that supports routing. For information about configuring Layer 3 IPsec VPNs, see Configure Layer 3 VPN Services. Use Manage > VPN Services to view the existing VPN services in your network configuration.

Layer 2 IPsec VPNs

Layer 2 IPsec VPNs tunnel traffic between APs functioning as VPN clients at remote sites and a VPN Gateway Virtual Appliance or Extreme Networks APs functioning as VPN servers at the corporate site, providing Layer 2 extensions of the main network. You can define at least one VPN server or two for redundancy. Each VPN client must belong to the same management network as the VPN server and build a GRE (Generic Routing Encapsulation) tunnel between the client and server. DHCP traffic is also tunneled, so clients receive IP addresses from the DHCP server at the corporate site just as if they were on the primary network.

When a wireless client associates with a device, the device applies a user profile to traffic from that client. If the device is a VPN client with a user profile tunnel policy, then the device tunnels that traffic back to a VPN server at the primary site. The clients receive network settings from a DHCP server at the primary site, query DNS servers at the primary site for domain name resolution, and access other network servers through the tunnel to any site in the VPN network.

Because the NAT mechanism on the device involves both the source IP address and source port number, wireless clients can only send TCP or UDP traffic. Note that the clients will not be able to ping local servers because ICMP does not use port numbers. For information about configuring Layer 2 IPsec VPNs, see Configure Layer 2 VPN Services.
Note

Note

A Layer 2 VPN server on an AP can terminate a maximum of 128 tunnels. A Layer 2 VPN Gateway Virtual Appliance can terminate up to 1024 tunnels.