- Enterasys Security Router User's Guide
VPN Applications
14-14 Configuring the Virtual Private Network
behind the XSR. After a tunnel has been built, the XSR may advertise routing information about
the corporate network to the client.
Authentication can be performed in several ways depending on the protocol used. For PPTP,
authentication is achieved by means of PPP-based me t ho d s s uc h as M S -C H AP, E AP, a n d PA P. It
should be noted that some of these methods are not secure because password and user IDs
traverse the Internet in clear-text. In the case of PPTP, there is no machine-level authentication.
For L2TP over IPSec, before an L2TP connection can be established between a client and the XSR,
an IPSec connection must be created. The IPSec connection can be authenticated with certificates
or pre-shared keys. For scalability, certificates are recommended.
User authentication is PPP-based, but since the L2TP session is protected by IPSec, any form of
PPP authentication is secure.
Using OSPF Over a VPN Network
OSPF on the XSR dynamically discovers networks and adjusts the routing table when network
connections fail (refer to “Configuring OSPF with Fail Over (Redundancy)” on page 14-17). The
VPN protocols provide secure packet transport over the public network through the use of
cryptographic policies attached to XSR interfaces.
When OSPF and VPN protocols are both employed over a network, contradictions may arise. For
example, OSPF may advertise that a particular network segment is reachable, but VPN policies
may prohibit traffic destined for that segment.
To avoid this problem, you must use care when configuring both protocols. The following sections
describe different VPN scenarios and how OSPF is used with them.
OSPF Commands
The same OSPF commands available for configuration in Fast/GigabitEthernet or Serial Interface
mode are available in Interface VPN mode. They are:
• ip ospf authentication-key
• ip ospf cost
• ip ospf dead-interval
• ip ospf hello-interval
• ip ospf message-digest-key
• ip ospf priority
• ip ospf retransmit-interval
• ip ospf transmit-delay
Additionally, show ip ospf interface vpn is available in EXEC mode.
Configuring OSPF Over Site-to-Central Site in Client Mode
When the XSR is configured in a Client Mode, Site-to-Central Site application, it creates an
asymmetric connection with one side acting as the server and the other as the client. The client
initiates the tunnel upon node startup, requesting an IP address from the server.
From the client’s point of view, the tunnel is a point-to-point connection; the VPN (virtual)
interface associated with the tunnel must be a point-to-point interface. Each connected client is
issued an IP address.