Client mode, Client mode -12, Client mode network extension mode – Enterasys Networks Security Router X-PeditionTM User Manual

Page 334: Internet

Advertising
background image

VPN Applications

14-12 Configuring the Virtual Private Network

If you filter traffic with ACLs, you will need to write an ACL similar to this example:

access-

list 101 permit udp any host 192.168.57.4 eq 4500. If you enable the XSR firewall,
refer to

“Configuring Security on the XSR”

on page 16-1 for more information. You can verify

traffic is passing the NAT device by entering the

show crypto ipsec sa command. It displays

the following sample output, citing Port 4500 and UDP-encaps(ulation).

63.81.64.58/32, UDP, 1701 ==> 63.81.64.89/32, UDP, 1701 : 490 packets
ESP: SPI=6723a3c3, Transform=3DES/HMAC-SHA, Life=2384S/249895KB
Local crypto endpt.=63.81.64.89:4500, Remote crypto endpt.=63.81.64.58:20002
Encapsulation=Transport UDP-Encaps

Depending on the type of IP address management configured on the connecting site of this
application, site-to-central-site networks can be built two ways, as shown in

Figure 14-6

.

Figure 14-6 Site-to-Central-Site Topology

Client Mode and Network Extension Mode tunnels require the use of EZ-IPSec on the client XSR,
placing the majority of the configuration effort on the central site XSR.

Client Mode

When the XSR connects to the central site tunnel server, the tunnel server assigns the client XSR an
IP address, which can be chosen from an internal pool kept by the tunnel server. Hosts residing on
the private LAN obtain IP addresses from the DHCP server running in the XSR.

Each session between a host on the private LAN and a server on the corporate network is NAT-ed.
From the corporate perspective, the entire private LAN is represented as a single IP address. Since
hosts on the private LAN are not visible from the corporate network, traffic must be initiated from

Routing

VPN tunnel

Internet

updates

DHCP server

ISP NAT

Private LAN

XSR/Central site tunnel server

Addressing on this LAN segment

is hidden from the corporate

network by NAT in the XSR

Routing

VPN tunnel

Internet

XSR/VPN Gateway

updates

DHCP server

ISP NAT

Branch LAN

DHCP relay

DHCP server

Addressing in this LAN segment

is an extension of the

corporate network

Client Mode

Network Extension Mode

Corporate network

Corporate network

Internal NAT/

DHCP server

XSR/VPN Gateway

XSR/Central site tunnel server

Advertising
Popular Brands
Popular manuals