3Com Switch 8800 Family IPsec Module Configuration and Command reference Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve 8116fl Redundant Switch Fabric Module

201

202

203

204

205

206

207

208

209

210

206 CHAPTER 13: DVPN

■ Registering with the DVPN server to join a DVPN domain

■ Establishing sessions with DVPN servers for data transmission

■ Establishing sessions with other DVPN clients in the DVPN domain

■ Encrypting packets using IPsec

DVPN ID

Identifier of a DVPN domain. For a DVPN access device, different DVPN domains

have different DVPN IDs.

Map

Channel established between a DVPN client and a DVPN server when the DVPN

client attempts to register with the DVPN server. A map remains after the client

successfully registers with the DVPN server until the DVPN client exit the DVPN

domain or the network. The information a map holds, such as the ID of the DVPN

domain, the private IP address of the peer, the public IP address of the peer, the

UDP port number used, the state of the map, and the control ID, is stored in both

the client side and the DVPN server side.

Session

DVPN Tunnel for data transmission. In a DVPN domain, sessions are established

between pairs of DVPN access devices and are used to connect private networks.

Packets in a DVPN domain are transmitted through sessions. The information a

session contains is similar to that of a map, such as the ID of the DVPN domain,

the private and public IP address of the peer, UDP port number used, the state of

the session, and the type of the session.

Redirect

Redirecting mechanism. For two clients with no session in between,

communications between them are carried out by the DVPN server. When

forwarding packets between these two clients, the DVPN server sends redirecting

packets to the source client if the DVPN server determines a separate session can

be established between the two clients. Redirecting packets contain information

about the destination clients and enable sessions to be established between

clients.

Active side and passive side

The two sides of a session must be either an active side or a passive side. A session

can have only one active side and one passive side. For a session established

between a client and a server, the client operates as the active side and the server

operates as the passive side. If a session is established between two clients, the

one that initiates the session is the active side and the other is the passive side.

Implementation To implement DVPN, DVPN access devices must have DVPN proprietary protocol

employed, through which the DVPN server holds information about all successfully

registered clients, and the clients hold information about all sessions they

establish, such as the private IP addresses of destination devices (the IP addresses

of Tunnel interfaces), the public IP addresses of destination devices (the IP

addresses of WAN interfaces), the UDP port numbers of the destination devices

(when employing UDP), the identifiers of session state. Following is the

descriptions of phases undergone when implementing DVPN to transmit data.