Enterasys Networks X-PeditionTM manual VPN Applications

VPN Applications

This feature specifies whether the router can clear, set, or copy the DF bit in the encapsulating header. It is available only for IPSec tunnel mode - transport mode is not affected because it does not have an encapsulating IP header. Typical enterprise DF bit settings include hosts which perform these roles:

•Use firewalls to block Internet Control Message Protocol (ICMP) “unreachable” errors from outside the firewall, preventing hosts from learning about the Maximum Transmission Unit (MTU) size outside the firewall and causing the originating application to eventually fail

•Set the DF bit in packets they send

•Use IPSec to encapsulate packets, reducing the available MTU size because it is too large for the tunnel’s interface. When the encrypted packet header is dropped, along with the DF bit setting, then large packets are dropped, causing instability and likely failure of the tunnel

If your topology includes hosts which screen knowledge of the available MTU size you can set the XSR to clear the DF bit and fragment the packet.

Refer to “XSR with VPN - Central Gateway” on page 14-36for a sample configuration.

Note: DF bit can be configured globally or per interface. If both levels are configured, Interface will override Global mode. Also, it is supported on any interface on which VPN can be configured.

VPN Applications

The XSR supports the following applications:

•Site-to-Site(Peer-to-Peer) - XSRs establish connections between each other, ANG-1102/1105s, 7000s, or third-node devices via the Internet based on certificates and pre-shared keys. This is the simplest tunnel to set up but its functionality set is not as rich as a Site-to-Central tunnel.

•Site-to-Central-Site- XSRs, one acting as a central site and the other as a remote site in Client or Network Extension Mode build links between each other based on pre-shared keys or certificates. The XSR, working as a central site can also terminate tunnels initiated by ANG-1102/1105 and 7000s. This type of tunnel offers several advantages over a Site-to-Site tunnel including:

–RIP or OSPF routing is supported

–Tunnel heartbeats are supported

–Tunnel failover is consistently supported

–Tunnels are more easily scalable in multiple router topologies

–Network management is more robust

•Remote Access - XSR functions as a tunnel server, establishing dial-up connections with clients over the Internet via local ISPs.

The XSR supports multiple combinations of the above applications and includes auxiliary functionality such as:

–RADIUS authentication

–PKI authentication

–NAT traversal

–IP address management

–DF Bit override on IPSec tunnels

14-10 Configuring the Virtual Private Network