Overview, Virtual private networks, How vpn load balancing works – Nortel Networks WEB OS 212777 User Manual

Web OS 10.0 Application Guide

354

n

Chapter 14: Virtual Private Network Load Balancing

212777-A, February 2002

Overview

Virtual Private Networks

A VPN is a connection that has the appearance and advantages of a dedicated link, but it
occurs over a shared network. Using a technique called tunneling, data packets are transmitted
across a routed network, such as the Internet, in a private tunnel that simulates a point-to-point
connection. This approach enables network traffic from many sources to travel via separate
tunnels across the infrastructure. It also enables traffic from many sources to be differentiated,
so that it can be directed to specific destinations and receive specific levels of service.

VPNs provide security features of a firewall, network address translation, data encryption, and
authentication and authorization. Since most of the data sent between VPN initiators and ter-
minators is encrypted, network devices cannot use information inside the packet to make intel-
ligent routing decisions.

How VPN Load Balancing Works

VPN load balancing requires that all ingress traffic passing through a particular VPN must
traverse the same VPN as it egresses back to the client. Traffic ingressing from the Internet is
usually addressed to the VPNs, with the real destination encrypted inside the datagram. Traffic
egressing the VPNs into the intranet contains the real destination in the clear.

Using the hash algorithm on the source and destination address may not be possible in many
VPN/firewall configurations because the address may be encrypted inside the datagram. Also,
the source/destination IP address of the packet may change as the packet traverses from the
dirty-side switches to clean-side switches and back.

To support VPN load balancing, the Alteon Web switch records state on frames entering the
switch to and from the VPNs. This session table ensures that the same VPN server handles all
the traffic between an inside host and an outside client for a particular session.

N

OTE

–

VPN load balancing is supported for connecting from remote sites to the network

behind the VPN cluster IP address. Connection initiated from clients internal to the VPN gate-
ways is not supported.

Basic frame flow, from the dirty side of the network to the clean side, is shown in

Figure 5-1

.

An external client is accessing an internal server. No Network Address Translation (NAT) is
performed by the VPN devices.