Manualshelf

User`s guide

ManualsBrandsEnterasys ManualsComputer equipmentANG-3000
271272273274275276277278279280
242 XSR Users Guide
VPN Applications Chapter 11
Configuring the Virtual Private Network
Figure 42 VPN Site-to-Site Topology
It is important to note that routers/VPN gateways which terminate tunnels
cannot reside behind a NAT device because external addresses must be valid,
routable addresses. This factors into a site-to-site tunnel scenario where both
XSRs play an equivalent role and any VPN gateway can initiate a tunnel.
VPN gateways terminating a tunnel cannot run routing protocols, therefore
must solely rely on static routes. Only packets destined for networks behind
the peer will be encrypted and shipped via a tunnel. Other traffic will either
be dropped or forwarded to the Internet depending on your security policy.
Authentication for IPSec tunnels is performed using pre-shared keys or
certificates. Authentication using pre-shared keys is acceptable in this
application because the number of connected peers is relatively small.
Since the XSR uses IETF standards to build tunnels, it can link with other
vendor devices. Multi-protocol traffic can be exchanged over the tunnels, but
must first be encapsulated in the GRE protocol then encrypted using IPSec.
Refer to “Configuring a Simple VPN Site-to-Site Application” on page 271
and “Configuration Examples” on page 277 for detailed Site-to-Site setups.
Routing
VPN tunnel
Internet
updates
Routing
updates
XSR/
VPN Gateway
XSR/
VPN Gateway