I have VPN setup to our datacenter (Cisco AnyConnect) for Window Clients.
Our head office has a site to site VPN connected to our datacenter.
Our head office also has VPN setup for Windows Client.
Is it possible for users who connect to our head office VPN client to access LAN devices to our datacenter if I had the head office VPN subnet to the site to site tunnel setup from Head Office → Data center?
That way I don’t have to connect to multiple VPNs? If that is possible, is that bad practice/not recommended?
As long as the Client VPN knows to send traffic to the DataCenter subnet through the tunnel to the Main Office, and the Data Center knows to send the Client VPN subnet traffic to the Main Office then yes.
If you are using Full-Tunnel on the Client VPN then you only need to worry about the Main Office to Data Center VPN allowing the Client VPN subnet back and forth.
You do it when you have to. For a non-classified government contract I worked on the only way to meet the requirements written by the agency was to have a collection of IPSec tunnels inside another IPSec tunnel. It worked.
The problems that I remember were that the MTU was stupid low and there were some Windows services that had to be switched from UDP to TCP because the UDP packets were getting dropped due to the MTU.
Route based tunnels should do this without much additional configuration beyond adding routes for the DC LAN on the client VPN appliance and a route for the client subnet at the DC via the tunnel to the branch.
Re: sending remote user VPN traffic across a site-to-site VPN, it’s fine. May not be optimal, but it’s fine. If that’s what the site supports for the time being, it will work.
Sounds like a tradeoff between client configuration complexity versus efficiency. If most flow is to head office with only occasional traffic to DC, then maybe it makes sense to be inefficient on the client->DC traffic just to have a simpler client config/setup. If there’s a lot of flow to office and to DC, then the inefficiency might bite too much and dual-tunnel from the client may be the answer.