This article describes configuring Layer 2 and Layer 3 VPN connections for disaster recovery scenarios and disaster recovery testing.
- Datto Partner Portal
Layer 2 and Layer 3 site-to-site VPN configurations require virtualization of a full or partial production network in the Datto cloud.
Supported Recovery Scenarios
- Test Scenarios: Due to the risk of disruption to your production network, Datto can only support Layer 2 and Layer 3 site-to-site VPN testing under specific conditions. See our Preparing For A Cloud Virtualization Test: Policies, Procedures, And Partner Responsibilities article for more information.
- Disaster Recovery Scenarios: During live disaster recovery scenarios, Datto can provide best-effort support for Layer 2 and Layer 3 site-to-site VPN configurations.
Layer 2 Site-to-Site VPN
- You need to virtualize one or more systems protected by a Datto appliance in the Datto cloud.
- You want the virtualizations to continue to communicate as if they are on the production network with the Datto appliance.
- You do not want to have to create VPN keys for each client computer that needs access to the VLAN.
- The production network must be functional.
- Use this configuration when the off-site VLAN has the same subnet as your client's local LAN.
Create a Site-to-Site (B2B) Layer 2 tunnel using OpenVPN. The gateway can be hosted on any of your client's on-site hardware capable of running Linux.
The local hardware can be a Datto appliance, or any Ubuntu 10.04, 12.04, 14.04, or 16.04 device with working network drivers, including a device booted into a live CD environment. Datto does not recommend using a Virtual Machine as the local device, because some hypervisors strip traffic between the host and guest.
Start a hybrid virtualization through the Datto appliance GUI, or start an cloud virtualization through the Recovery Launchpad, and then contact Datto Technical Support for assistance with configuring your endpoint device to route traffic between the off-site (VPN) network and your client's local network.
Layer 3 Site-to-Site VPN
- The production network will be down for an extended period.
- One or more large remote sites need to be able to communicate with the Datto cloud.
- The production network is down.
- Use this configuration when the off-site VLAN has a different subnet from the client's local LAN.
- For each network, you will need an endpoint. This can be an on-site computer running Ubuntu, or a Datto appliance.
- At each site, you will need the ability to add static routes to the default gateway or to the individual computers of each site.
- All sites must have port 5196 open from the endpoint to the off-site server hosting the VLAN.
The local device needs to be configured to receive the VPN connection from the off-site server. Contact Datto Technical Support for assistance with this configuration after you have completed the steps in Prerequisites and Requirements.