Enterasys Networks X-PeditionTM manual Client, Server

VPN Applications

From the server’s point of view, connected tunnels are point-to-multipoint links. The VPN interface serving as the server’s tunnel endpoint must be a point-to-multipoint interface. Additionally, the server does not see segments behind the clients because in Client Mode, NAT is employed inside the tunnel and all traffic originating from trusted segments is NAT-ed with the IP address assigned by the server, as shown in Figure 14-8.

Figure 14-8 Site-to-Site Client Mode Topology

In this scenario, you may use OSPF to advertise the corporate network’s reachability via an established tunnel.

Advertising these networks becomes extremely valuable when the client connects to more than one server. In that case, the client will have two VPN interfaces, expressed here as VPN 1 and VPN

2.Routes learned via OSPF will inform the IP routing engine which IP addresses are reachable via the VPN 1 interface and which are reachable via the VPN 2 interface. Based on the example shown in Figure 14-8, the following OSPF settings should be applied to the interfaces:

Server

•Fast/GigabitEthernet 1 interface: This trusted side of the network on the XSR may consist of more than one IP segment. A network attached to Fast/GigabitEthernet 1 will be advertised in an OSPF area.

•Fast/GigabitEthernet 2 interface: OSPF must be disabled here because this is the default external connection to the Internet. The server should not receive updates from the Internet nor pass along information about private segments to the Internet.

•VPN 1 interface: OSPF is required here to establish adjacency with connecting clients. OSPF treats a set of connected clients as a point-to-multipoint network. Before swapping OSPF packets, the server must separately build adjacency with each connected client. If the server cannot establish OSPF adjacency with a client, it will not send OSPF updates to that client.

XSR User’s Guide 14-15