- Enterasys Security Router User's Guide

ManualsBrandsEnterasys Networks ManualsNetwork RouterSecurity Router X-PeditionTM

331

332

333

334

335

336

337

338

339

340

VPN Applications

XSR User’s Guide 14-13

the hosts on the private LAN. The XSR's internal NAT operates only on Layer-4 protocols such as

TCP and UDP. NAT also employs a set of modules - Application Level Gateway (ALG) -

processing non-UDP/TCP protocols such as ICMP and H323.

Routing updates are unidirectional - the Central site advertises segments reachable in the

corporate network, but the client XSR does not advertise the private LAN. After receiving a

routing update, the client XSR can leverage a connection to the Internet for a VPN connection and

access to public services and Web servers located on the Internet. This is called split-tunneling.

A secure tunnel to the Central site is established by means of ISAKMP Aggressive Mode with pre-

shared keys or Main Mode using certificates. The assignment of IP addresses requires the support

of Mode-Config on the tunnel server and the client XSR. Since Config Mode is not standardized,

using it may affect interoperability with third-party devices.

Network Extension Mode (NEM)

In the Network Extension scenario, as illustrated in Figure 14-6, the branch LAN is visible from

the corporate segment since addressing used on that LAN augments addressing used on the

corporation network. Hosts located on the branch LAN obtain IP addresses from the main DHCP

server located on the corporate network. In this application the XSR must support the DHCP

Relay protocol (RFC-3046) to extend hosts' DHCP requests for IP addresses. An obvious limitation

of this configuration is that hosts cannot obtain IP addresses before a tunnel to the corporate

network is created. A secure tunnel to the tunnel server is established by means of IETF ISAKMP

Aggressive Mode transaction with pre-shared keys or Main Mode using certificates.

Remote Access Networks

In a Remote Access application, as shown in Figure 14-7, a client connects to the corporate

network in the same way as a dial-in user does. First, the client connects to an ISP and is assigned

an external IP address, which is used to route packets over the Internet.

Then, the remote client initiates a tunnel to the XSR and is assigned an internal IP address

belonging to the corporate network. After connecting, the remote client runs as if directly linked to

the corporate LAN.

Figure 14-7 VPN Remote Access Topology

Many protocols provide remote access functionality. Windows 95/98 supports remote access

using PPTP with MPPE, Windows 2000 supports L2TP over IPSec.

Depending on the protocol, the remote access scenario may require user authentication as well as

machine authentication. A user database may be located on the XSR itself or a RADIUS server

VPN tunnel

Internet

XSR/VPN Gateway

Routing

updates

VPN Gateway

IP address assigned

by VPN Gateway

External address

assigned by ISP

Corporate network

RADIUS server

DHCP server

Server