- Enterasys Security Router User's Guide

ManualsBrandsEnterasys Networks ManualsNetwork RouterSecurity Router X-PeditionTM

331

332

333

334

335

336

337

338

339

340

VPN Applications

XSR User’s Guide 14-15

From the server’s point of view, connected tunnels are point-to-multipoint links. The VPN

interface serving as the server’s tunnel endpoint must be a point-to-multipoint interface.

Additionally, the server does not see segments behind the clients because in Client Mode, NAT is

employed inside the tunnel and all traffic originating from trusted segments is NAT-ed with the

IP address assigned by the server, as shown in Figure 14-8.

Figure 14-8 Site-to-Site Client Mode Topology

In this scenario, you may use OSPF to advertise the corporate network’s reachability via an

established tunnel.

Advertising these networks becomes extremely valuable when the client connects to more than

one server. In that case, the client will have two VPN interfaces, expressed here as VPN 1 and VPN

2. Routes learned via OSPF will inform the IP routing engine which IP addresses are reachable via

the VPN 1 interface and which are reachable via the VPN 2 interface. Based on the example shown

in Figure 14-8, the following OSPF settings should be applied to the interfaces:

Server

• Fast/GigabitEthernet 1 interface: This trusted side of the network on the XSR may consist of

more than one IP segment. A network attached to Fast/GigabitEthernet 1 will be advertised in

an OSPF area.

• Fast/GigabitEthernet 2 interface: OSPF must be disabled here because this is the default external

connection to the Internet. The server should not receive updates from the Internet nor pass

along information about private segments to the Internet.

• VPN 1 interface: OSPF is required here to establish adjacency with connecting clients. OSPF

treats a set of connected clients as a point-to-multipoint network. Before swapping OSPF

packets, the server must separately build adjacency with each connected client. If the server

cannot establish OSPF adjacency with a client, it will not send OSPF updates to that client.

Corporate network

INTERNET

VPN 1

Server

VPN tunnel

Client

To another client

Private segment invisible to server

Point-to-multipoint interface.

Terminates tunnels

Point-to-point interface.

This endpoint’s IP address

is assigned by the server.

The other tunnel endpoint’s

IP address is configured on

the server’s VPN interface.

VPN 1

NAT