Network extension mode (nem), Remote access networks, Network extension mode (nem) -13 – Enterasys Networks Security Router X-PeditionTM User Manual

VPN Applications

XSR User’s Guide 14-13

the hosts on the private LAN. The XSR's internal NAT operates only on Layer-4 protocols such as
TCP and UDP. NAT also employs a set of modules - Application Level Gateway (ALG) -
processing non-UDP/TCP protocols such as ICMP and H323.

Routing updates are unidirectional - the Central site advertises segments reachable in the
corporate network, but the client XSR does not advertise the private LAN. After receiving a
routing update, the client XSR can leverage a connection to the Internet for a VPN connection and
access to public services and Web servers located on the Internet. This is called split-tunneling.

A secure tunnel to the Central site is established by means of ISAKMP Aggressive Mode with pre-
shared keys or Main Mode using certificates. The assignment of IP addresses requires the support
of Mode-Config on the tunnel server and the client XSR. Since Config Mode is not standardized,
using it may affect interoperability with third-party devices.

Network Extension Mode (NEM)

In the Network Extension scenario, as illustrated in

Figure 14-6

, the branch LAN is visible from

the corporate segment since addressing used on that LAN augments addressing used on the
corporation network. Hosts located on the branch LAN obtain IP addresses from the main DHCP
server located on the corporate network. In this application the XSR must support the DHCP
Relay protocol (RFC-3046) to extend hosts' DHCP requests for IP addresses. An obvious limitation
of this configuration is that hosts cannot obtain IP addresses before a tunnel to the corporate
network is created. A secure tunnel to the tunnel server is established by means of IETF ISAKMP
Aggressive Mode transaction with pre-shared keys or Main Mode using certificates.

Remote Access Networks

In a Remote Access application, as shown in

Figure 14-7

, a client connects to the corporate

network in the same way as a dial-in user does. First, the client connects to an ISP and is assigned
an external IP address, which is used to route packets over the Internet.

Then, the remote client initiates a tunnel to the XSR and is assigned an internal IP address
belonging to the corporate network. After connecting, the remote client runs as if directly linked to
the corporate LAN.

Figure 14-7 VPN Remote Access Topology

Many protocols provide remote access functionality. Windows 95/98 supports remote access
using PPTP with MPPE, Windows 2000 supports L2TP over IPSec.

Depending on the protocol, the remote access scenario may require user authentication as well as
machine authentication. A user database may be located on the XSR itself or a RADIUS server

VPN tunnel

Internet

XSR/VPN Gateway

Routing

updates

VPN Gateway

IP address assigned

by VPN Gateway

External address

assigned by ISP

Corporate network

RADIUS server DHCP server

Server