Internet – Enterasys Networks Security Router X-PeditionTM User Manual

Page 338

Advertising
background image

VPN Applications

14-16 Configuring the Virtual Private Network

Client

Fast/GigabitEthernet 1 interface: This is private, non-routable segment, usually 192.168.1.0/24.
OSPF must be disabled on F1. If OSPF is enabled on this interface it will be advertised to the
server. The server's IP routing table will learn a route to this segment via the VPN interface
connected to the client. But it is unreachable because NAT is enabled. Be aware that if two
clients advertise the same private segment, e.g., 192.168.1.0/24, the server will learn two
routes, which seem to be the same destination, but in fact are not.

Fast/GigabitEthernet 2 interface: OSPF should be disabled here for the same reason it is disabled
on the server.

VPN 1 interface: OSPF must be enabled on this interface to receive updates from the server.

If other clients connecting to the VPN 1 interface on the server do not have OSPF coverage (i.e.,
Windows remote access clients), OSPF ignores them and continues exchanging information with
those clients that support OSPF.

On the client, a tunnel associated with interface VPN 1 is created by means of the XSR’s EZ-IPsec
functionality. EZ-IPsec automatically inserts SPDs on Fast/GigabitEthernet interface 2 which
specify that only traffic from and to the IP address assigned by the server should be encrypted.
There is no conflict between SPDs and OSPF routing on this connection.

The commands to configure this scenario are illustrated on

(page 14-36)

.

Configuring OSPF over Site-to-Central Site in Network Extension Mode

Compared to Client Mode, Network Extension Mode is more flexible at the cost of a more
sophisticated configuration. As shown in

Figure 14-9

, NAT is not used on the VPN interface at the

client site. The trusted network behind the client is a fully routable segment and may be reached
from the corporate network.

Figure 14-9 Site-to-Site Network Mode Topology

Corporate network

INTERNET

F1

VPN 1

Server

VPN tunnel

Client

F2

To another client

Segment is extension of corporate net

Point-to-multipoint

interface.

Terminates

tunnels

Point-to-point

interface.

This endpoint’s IP address

is assigned by the server.
The other tunnel endpoint’s

IP address is configured on

the server’s VPN interface.

F2

F1

VPN 1

Advertising
Popular Brands
Popular manuals