- Enterasys Security Router User's Guide
XSR VPN Features
14-18 Configuring the Virtual Private Network
Server 2
Interfaces Fast/GigabitEthernet 1 and VPN 1
Client
Interfaces Fast/GigabitEthernet 1, VPN 1 and VPN 2.
Figure 14-10 OSPF Used with Failover
Limitations
Peer-to-Peer IPSec tunnels are configured without the VPN interface by applying crypto maps to
physical interfaces. In this application, IPSec is treated as a side effect of data transmission through
the interface. Since no virtual interface (VPN1, e.g.) is applied to the IPSec connection, a routing
protocol like OSPF cannot be used.
As mentioned earlier, OSPF may advertise a network’s reachability but IPSec policies may deny
access to that network. As a remedy, you may extend the crypto maps attached to interfaces, but
this requires prior knowledge of networks advertised by OSPF, which renders OSPF’s dynamic
network discovery useless. In this case, OSPF is used only for monitoring the links and providing
alternate routes in case of link failure.
XSR VPN Features
The XSR supports the following VPN features:
• Site-to-Site (Peer-to-Peer) application
– IPSec/IKE with pre-shared secrets
– IPSec/IKE with certificates (PKI)
– EZ-IPSec with PKI or pre-shared secrets:
- Network Extension Mode (NEM)
Corporate network
INTERNET
F1
VPN 1
Server 2
Client
F2
Segment is extension of corporate network
F2
F1
VPN 1
VPN 1
Server 1
F2
F1
VPN 2