VPN Applications

Site-to-Site Networks

Site-to-site tunnels run as point-to-point links. They are useful when connecting geographically dispersed network segments where each segment contains servers and hosts. VPN tunnels play the role of point-to-point links and are transparent from a routing perspective.

Figure 14-5shows a link between two XSR sites, but this architecture can be extended to link many sites by creating a mesh topology. While it is extremely flexible for mesh networks, site-to-site is also useful within a hub-and-spoke topology.

Figure 14-5 VPN Site-to-Site Topology

XSR/

XSR/

VPN Gateway

VPN Gateway

 

 

Internet

Routing

VPN tunnel

Routing

updates

updates

 

VPN gateways terminating a tunnel cannot run routing protocols, therefore must solely rely on static routes. Only packets destined for networks behind the peer will be encrypted and shipped via a tunnel. Other traffic will either be dropped or forwarded to the Internet depending on your security policy.

Authentication for IPSec tunnels can be performed using pre-shared keys or certificates. Authentication using pre-shared keys is acceptable in this application because the number of connected peers is relatively small.

This type of tunnel follows IETF standards and is interoperable with other vendors’ devices. The IPSec portion of a GRE/IPSec tunnel is this type of Peer-to-Peer/Site-to-Site configuration. Refer to “Configuring a Simple VPN Site-to-Site Application” on page 14-32and “Configuration Examples” on page 14-36for detailed Site-to-Site setups.

Site-to-Central-Site Networks

In a Site-to-Central-Site application, tunnel nodes are not equivalent. One node initiates a tunnel, the other accepts it. In practice, the initiating node represents the smaller client entity and connects to the bigger corporate network through the server.

NAT Traversal

Since the connection is always initiated by the client site, it can reside behind an ISP-operated NAT device. But, the presence of NAT requires the IPSec feature known as NAT traversal since routers/VPN gateways which terminate tunnels cannot reside behind a NAT device because external addresses must be valid, routable addresses. This factors into a site-to-site tunnel scenario where both XSRs play an equivalent role and any VPN gateway can initiate a tunnel.

Beginning with Release 7.0, the XSR supports NAT traversal according to draft-ietf-ipsec-nat-t-ike- 02. The XSR sends IKE messages from UDP port 4500 when 1), a NAT device is present between IKE peers and 2), the peer has implemented draft-ietf-ipsec-nat-t-ike-02.

XSR User’s Guide 14-11

Page 333
Image 333
Enterasys Networks X-PeditionTM manual Site-to-Site Networks, Site-to-Central-Site Networks, NAT Traversal