- Enterasys Security Router User's Guide

ManualsBrandsEnterasys Networks ManualsNetwork RouterSecurity Router X-PeditionTM

331

332

333

334

335

336

337

338

339

340

VPN Applications

14-16 Configuring the Virtual Private Network

Client

• Fast/GigabitEthernet 1 interface: This is private, non-routable segment, usually 192.168.1.0/24.

OSPF must be disabled on F1. If OSPF is enabled on this interface it will be advertised to the

server. The server's IP routing table will learn a route to this segment via the VPN interface

connected to the client. But it is unreachable because NAT is enabled. Be aware that if two

clients advertise the same private segment, e.g., 192.168.1.0/24, the server will learn two

routes, which seem to be the same destination, but in fact are not.

• Fast/GigabitEthernet 2 interface: OSPF should be disabled here for the same reason it is disabled

on the server.

• VPN 1 interface: OSPF must be enabled on this interface to receive updates from the server.

If other clients connecting to the VPN 1 interface on the server do not have OSPF coverage (i.e.,

Windows remote access clients), OSPF ignores them and continues exchanging information with

those clients that support OSPF.

On the client, a tunnel associated with interface VPN 1 is created by means of the XSR’s EZ-IPsec

functionality. EZ-IPsec automatically inserts SPDs on Fast/GigabitEthernet interface 2 which

specify that only traffic from and to the IP address assigned by the server should be encrypted.

There is no conflict between SPDs and OSPF routing on this connection.

The commands to configure this scenario are illustrated on (page 14-36).

Configuring OSPF over Site-to-Central Site in Network Extension Mode

Compared to Client Mode, Network Extension Mode is more flexible at the cost of a more

sophisticated configuration. As shown in Figure 14-9, NAT is not used on the VPN interface at the

client site. The trusted network behind the client is a fully routable segment and may be reached

from the corporate network.

Figure 14-9 Site-to-Site Network Mode Topology

Corporate network

INTERNET

VPN 1

Server

VPN tunnel

Client

To another client

Segment is extension of corporate net

Point-to-multipoint interface.

Terminates tunnels

Point-to-point interface.

This endpoint’s IP address

is assigned by the server.

The other tunnel endpoint’s

IP address is configured on

the server’s VPN interface.

VPN 1