Manualshelf

User`s guide

ManualsBrandsEnterasys ManualsComputer equipmentANG-3000
271272273274275276277278279280
240 XSR Users Guide
VPN Applications Chapter 11
Configuring the Virtual Private Network
This feature specifies whether the router can clear, set, or copy the DF bit in the
encapsulating header. It is available only for IPSec tunnel mode - transport
mode is not affected because it does not have an encapsulating IP header.
Typical enterprise configurations of DF bit include hosts which perform the
following functions:
Use firewalls to block Internet Control Message Protocol (ICMP) errors
from outside the firewall, preventing hosts from learning about the
Maximum Transmission Unit (MTU) size outside the firewall
Set the DF bit in packets they send
Use IP Security (IPSec) to encapsulate packets, reducing the available
MTU size
If your topology includes hosts which screen knowledge of the available
MTU size you can set the XSR to clear the DF bit and fragment the packet. See
“XSR with VPN - Central Gateway” on page 277 for a sample configuration.
NOTE
DF bit can be configured globally or per interface. If both levels are
configured, Interface will override Global mode. Also, it is supported on
any interface on which VPN can be configured.
VPN Applications
The XSR supports the following applications:
Site-to-Site (Peer-to-Peer) - XSRs establish connections between each
other, ANG-1102/1105s, 7000s, or third-node devices via the Internet
based on certificates and pre-shared keys. While this is the simplest
tunnel to set up, it does not provide as rich a functionality set as a Site-
to-Central Site tunnel.
Site-to-Central-Site - XSRs, performing as tunnel servers with Client or
Network Extension Mode enabled, establish connections between each
other, ANG-1102/1105s or 7000s based on pre-shared key and
certificates. This type of tunnel offers several advantages over a Site-to-
Site tunnel including:
RIP or OSPF routing is supported
Tunnel heartbeats are supported
Tunnel failover is consistently supported