This article describes configuring Layer 2 and Layer 3 VPN connections for disaster recovery scenarios and disaster recovery testing.
- Datto Partner Portal
- Recovery Launchpad
Layer 2 and Layer 3 site-to-site VPN configurations require virtualization of a full or partial production network in the Datto cloud.
Supported Recovery Scenarios
- Test Scenarios: Due to the risk of disruption to your production network, Datto can only support Layer 2 and Layer 3 site-to-site VPN testing under specific conditions. See our Preparing For A Cloud Virtualization Test: Policies, Procedures, And Partner Responsibilities article for more information.
- Disaster Recovery Scenarios: During live disaster recovery scenarios, Datto can provide best-effort support for Layer 2 and Layer 3 site-to-site VPN configurations.
Layer 2 Site-to-Site VPN
- You need to virtualize one or more systems protected by a Datto appliance in the Datto cloud.
- You want the virtualizations to continue to communicate as if they are on the production network with the Datto appliance.
- You do not want to have to create VPN keys for each client computer that needs access to the VLAN.
- The production network must be functional.
- Use this configuration when the off-site VLAN has the same subnet as your client's local LAN.
Create a Site-to-Site (B2B) Layer 2 tunnel using OpenVPN. The gateway can be hosted on any of your client's on-site hardware capable of running Linux.
The local hardware can be a Datto appliance, or any Ubuntu 10.04, 12.04, 14.04, or 16.04 device with working network drivers, including a device booted into a live CD environment. Datto does not recommend using a Virtual Machine as the local device, because some hypervisors strip traffic between the host and guest.
Start a hybrid virtualization through the Datto appliance GUI, or start a cloud virtualization through the Recovery Launchpad, and then contact Datto Technical Support for assistance with configuring your endpoint device to route traffic between the off-site (VPN) network and your client's local network.
Layer 3 Site-to-Site VPN
- The production network will be down for an extended period.
- One or more large remote sites need to be able to communicate with the Datto cloud.
- The production network is down.
- Use this configuration when the off-site VLAN has a different subnet from the client's local LAN.
- For each network, you will need an endpoint. This can be an on-site computer running Ubuntu, or a Datto appliance.
- At each site, you will need the ability to add static routes to the default gateway or to the individual computers of each site.
- All sites must have port 5196 open from the endpoint to the off-site server hosting the VLAN.
The local device needs to be configured to receive the VPN connection from the off-site server. Contact Datto Technical Support for assistance with this configuration after you have completed the steps in Prerequisites and Requirements.