VPN Applications

the hosts on the private LAN. The XSR's internal NAT operates only on Layer-4 protocols such as TCP and UDP. NAT also employs a set of modules - Application Level Gateway (ALG) - processing non-UDP/TCP protocols such as ICMP and H323.

Routing updates are unidirectional - the Central site advertises segments reachable in the corporate network, but the client XSR does not advertise the private LAN. After receiving a routing update, the client XSR can leverage a connection to the Internet for a VPN connection and access to public services and Web servers located on the Internet. This is called split-tunneling.

A secure tunnel to the Central site is established by means of ISAKMP Aggressive Mode with pre- shared keys or Main Mode using certificates. The assignment of IP addresses requires the support of Mode-Config on the tunnel server and the client XSR. Since Config Mode is not standardized, using it may affect interoperability with third-party devices.

Network Extension Mode (NEM)

In the Network Extension scenario, as illustrated in Figure 14-6, the branch LAN is visible from the corporate segment since addressing used on that LAN augments addressing used on the corporation network. Hosts located on the branch LAN obtain IP addresses from the main DHCP server located on the corporate network. In this application the XSR must support the DHCP Relay protocol (RFC-3046) to extend hosts' DHCP requests for IP addresses. An obvious limitation of this configuration is that hosts cannot obtain IP addresses before a tunnel to the corporate network is created. A secure tunnel to the tunnel server is established by means of IETF ISAKMP Aggressive Mode transaction with pre-shared keys or Main Mode using certificates.

Remote Access Networks

In a Remote Access application, as shown in Figure 14-7, a client connects to the corporate network in the same way as a dial-in user does. First, the client connects to an ISP and is assigned an external IP address, which is used to route packets over the Internet.

Then, the remote client initiates a tunnel to the XSR and is assigned an internal IP address belonging to the corporate network. After connecting, the remote client runs as if directly linked to the corporate LAN.

Figure 14-7 VPN Remote Access Topology

 

XSR/VPN Gateway

 

 

 

 

 

 

Internet

 

 

 

 

Routing

VPN tunnel

 

External address

Corporate network

updates

 

VPN Gateway

assigned by ISP

 

 

 

 

 

 

 

 

 

 

 

 

 

IP address assigned

 

 

 

 

 

by VPN Gateway

 

Server

RADIUS server

DHCP server

 

 

 

Many protocols provide remote access functionality. Windows 95/98 supports remote access using PPTP with MPPE, Windows 2000 supports L2TP over IPSec.

Depending on the protocol, the remote access scenario may require user authentication as well as machine authentication. A user database may be located on the XSR itself or a RADIUS server

XSR User’s Guide 14-13

Page 334 Page 336
Page 335
Image 335
Enterasys Networks X-PeditionTM manual Remote Access Networks, Network Extension Mode NEM
Page 334 Page 336
Top Page Image Contents