VPN Applications

Client

Fast/GigabitEthernet 1 interface: This is private, non-routable segment, usually 192.168.1.0/24. OSPF must be disabled on F1. If OSPF is enabled on this interface it will be advertised to the server. The server's IP routing table will learn a route to this segment via the VPN interface connected to the client. But it is unreachable because NAT is enabled. Be aware that if two clients advertise the same private segment, e.g., 192.168.1.0/24, the server will learn two routes, which seem to be the same destination, but in fact are not.

Fast/GigabitEthernet 2 interface: OSPF should be disabled here for the same reason it is disabled on the server.

VPN 1 interface: OSPF must be enabled on this interface to receive updates from the server.

If other clients connecting to the VPN 1 interface on the server do not have OSPF coverage (i.e., Windows remote access clients), OSPF ignores them and continues exchanging information with those clients that support OSPF.

On the client, a tunnel associated with interface VPN 1 is created by means of the XSR’s EZ-IPsec functionality. EZ-IPsec automatically inserts SPDs on Fast/GigabitEthernet interface 2 which specify that only traffic from and to the IP address assigned by the server should be encrypted. There is no conflict between SPDs and OSPF routing on this connection.

The commands to configure this scenario are illustrated on (page 14-36).

Configuring OSPF over Site-to-Central Site in Network Extension Mode

Compared to Client Mode, Network Extension Mode is more flexible at the cost of a more sophisticated configuration. As shown in Figure 14-9, NAT is not used on the VPN interface at the client site. The trusted network behind the client is a fully routable segment and may be reached from the corporate network.

Figure 14-9 Site-to-Site Network Mode Topology

VPN tunnel

VPN 1

F2

Client

F1

Corporate network

 

 

F1

 

 

 

 

VPN 1

 

 

 

Server

 

 

F2

INTERNET

Point-to-multipoint interface.

Terminates tunnels

 

 

To another client

Point-to-pointinterface. This endpoint’s IP address is assigned by the server. The other tunnel endpoint’s IP address is configured on the server’s VPN interface.

Segment is extension of corporate net

14-16 Configuring the Virtual Private Network

Page 338
Image 338
Enterasys Networks X-PeditionTM manual Internet, Client