Internet – Enterasys Networks Security Router X-PeditionTM User Manual

Page 337

Advertising
background image

VPN Applications

XSR User’s Guide 14-15

From the server’s point of view, connected tunnels are point-to-multipoint links. The VPN
interface serving as the server’s tunnel endpoint must be a point-to-multipoint interface.
Additionally, the server does not see segments behind the clients because in Client Mode, NAT is
employed inside the tunnel and all traffic originating from trusted segments is NAT-ed with the
IP address assigned by the server, as shown in

Figure 14-8

.

Figure 14-8 Site-to-Site Client Mode Topology

In this scenario, you may use OSPF to advertise the corporate network’s reachability via an
established tunnel.

Advertising these networks becomes extremely valuable when the client connects to more than
one server. In that case, the client will have two VPN interfaces, expressed here as VPN 1 and VPN
2. Routes learned via OSPF will inform the IP routing engine which IP addresses are reachable via
the VPN 1 interface and which are reachable via the VPN 2 interface. Based on the example shown
in

Figure 14-8

, the following OSPF settings should be applied to the interfaces:

Server

Fast/GigabitEthernet 1 interface: This trusted side of the network on the XSR may consist of
more than one IP segment. A network attached to Fast/GigabitEthernet 1 will be advertised in
an OSPF area.

Fast/GigabitEthernet 2 interface: OSPF must be disabled here because this is the default external
connection to the Internet. The server should not receive updates from the Internet nor pass
along information about private segments to the Internet.

VPN 1 interface: OSPF is required here to establish adjacency with connecting clients. OSPF
treats a set of connected clients as a point-to-multipoint network. Before swapping OSPF
packets, the server must separately build adjacency with each connected client. If the server
cannot establish OSPF adjacency with a client, it will not send OSPF updates to that client.

Corporate network

INTERNET

F1

VPN 1

Server

VPN tunnel

Client

F2

To another client

Private segment invisible to server

Point-to-multipoint

interface.

Terminates

tunnels

Point-to-point

interface.

This endpoint’s IP address

is assigned by the server.

The other tunnel endpoint’s

IP address is configured on

the server’s VPN interface.

F2

F1

VPN 1

NAT

Advertising
Popular Brands
Popular manuals