VPN inside a VPN

He folks,

I have a simple question that I'm not able to verify by myself right now do to the lack of equipment for testing. The question is related to VPN.

We have many VPN with our customer and we plan on deploying additionnal servers into their infrastructure in a separate VLAN protected by firewall. In almost all case we build the VPN with our customer with our own device, but some customers want us to use their device for VPN connectivity. That fine, but since we got server isolated inside and don't want to got our traffic to go in clear on the customer network, I'm thinking of building another VPN inside the VPN to ensure that I will be fully secure. (Because we deal with confidential data here).

At the customer site we will already have a device inside to terminate the VPN, but on our site I'm wondering if I can build a config to host the two VPN on only one device (PIX, ASA and ROUTER) ? Because would like not having to deploy another pair of VPN device (PIX, ASA or ROUTER) only for those type of customer.

thanks

so you mean encrypt again, already encrypted traffic ??
If you set up the logical path end to end correctly, you wont have problems, mean conceptually it must work.

One thing maybe it would affect is little latency brought through packet manipulation (encryp--- encrypt again --- decrypt---decrypt again) by the cloud device, that maybe could affect the apllication.

Yes I know that performance will not be has good as only one VPN. But I'm wondering if one device can encrypt the same traffic twice ?


CORP --> VPN -> INTERNET -> CUST VPN -> LAN -> CORP VPN -> CUST CORP SVRS

VPN1 : VPN <=> CUST VPN
VPN2 : VPN <=> CORP VPN

The first VPN in the chain is the one where I want to create a double VPN configuration.

THe reason that force me to think of a weird setup like this is the fact that the customer VPN need to terminate on a LAN where we cannot allow unencrypted traffic.

thanks

Not too sure about your exact scenario, but I've done a VPN-within-VPN which works okay. The reason was that the customer insisted on particular encryption using hardware encryption units being used across the link. So I used a basic PPTP VPN to establish and authenticate the connection but with no encryption on it. Once that's up, I let the hardware units talk to eachother across it and establish their own encrypted channel

What type of device you were using for your VPN ? Because I'm looking for IPSEC VPN. One one point use the same device for both but on the remote relocation use two devices. And what I was wondering is if I'll be able to create the two tunnel inside the same VPN appliance (Cisco equipment).

thanks

We are running a VPN inside a VPN for simplicity reason.

Our Active Directory is protected by a firewall, only sites that are on our Active Directory (not all sites are) are allowed access to the AD. To simplify the rules on the firewall, we decided to use a VPN which then just lets all the traffic from the sites that require it through to the back end AD.

One site however, needed to have ADSL installed. For this reason, we set them up with public ADSL and then used an IPSec VPN connection into our network.

We therefore have;
Cisco Router -> Cisco VPN Concentrator for the site to site VPN over ADSL.
Then to access the AD, we have a PPTP VPN using ISA Servers.

This seems to work ok.

Cheers