Hi,
I've got a FreeBSD VM in a DC running net/ocserv that allows clients to access my network over SSL. It dutifully creates tunnel interfaces as each client connects, and clients route back to the central site via the VM (as it happens over an IPSEC tunnel).
Rather that normally route the client traffic via the VM I want to bridge the tunnels to a DMZ at the central site and pop the traffic out there. (Similar to mobility anchoring in Cisco's WiFi universe).
I can easily use VXLAN to set up a tunnel between the VM and the central site, and can also easily add these to a bridge interface at each end. However the tricky part is that I can't bridge the tunnel interfaces (for obvious reasons - they're not Ethernet or Etherlike).
Ignoring the why, can anyone think of how I can bridge these tunnel interfaces back to the central site? Or perhaps there's a way to stitch/force the tunnels into another tunnel at layer 3 (here I'm thinking policy routing - yuck).
If you want a why - say for example users in the central site are subjected to a transparent proxy using WCCP on a switch. I want the SSL VPN users to be dropped into the same vLAN so they too are subject to WCCP (and various other security measures).
Thanks,
Scott
I've got a FreeBSD VM in a DC running net/ocserv that allows clients to access my network over SSL. It dutifully creates tunnel interfaces as each client connects, and clients route back to the central site via the VM (as it happens over an IPSEC tunnel).
Rather that normally route the client traffic via the VM I want to bridge the tunnels to a DMZ at the central site and pop the traffic out there. (Similar to mobility anchoring in Cisco's WiFi universe).
I can easily use VXLAN to set up a tunnel between the VM and the central site, and can also easily add these to a bridge interface at each end. However the tricky part is that I can't bridge the tunnel interfaces (for obvious reasons - they're not Ethernet or Etherlike).
Ignoring the why, can anyone think of how I can bridge these tunnel interfaces back to the central site? Or perhaps there's a way to stitch/force the tunnels into another tunnel at layer 3 (here I'm thinking policy routing - yuck).
If you want a why - say for example users in the central site are subjected to a transparent proxy using WCCP on a switch. I want the SSL VPN users to be dropped into the same vLAN so they too are subject to WCCP (and various other security measures).
Thanks,
Scott