User`s guide
XSR User’s Guide 243
Chapter 11 VPN Applications
Configuring the Virtual Private Network
Site-to-Central-Site Networks
In a Site-to-Central-Site application, connecting nodes are not equivalent. One
node initiates a connection and the other accepts the connection. In practice, the
node initiating the connection represents the smaller entity and connects to the
bigger corporate network. Since the connection is always initiated by one site,
the initiating node can reside behind an ISP-operated NAT device. But, the
presence of NAT requires the IPSec modification known as NAT traversal.
Depending on the type of IP address management configured on the
connecting site of this application, site-to-central-site networks can be built
two ways, as shown in Figure 43.
Figure 43 Site-to-Central-Site Topology
Routing
VPN tunnel
Internet
updates
DHCP server
ISP NAT
Private LAN
XSR/Central site tunnel server
Addressing on this LAN segment
is hidden from the corporate
network by NAT in the XSR
Routing
VPN tunnel
Internet
XSR/VPN Gateway
updates
DHCP server
ISP NAT
Branch LAN
DHCP relay
DHCP server
Addressing in this LAN segment
is an extension of addressing
used in the corporate network
Client Mode
Network Extension Mode
Corporate network
Corporate network
Internal NAT/
DHCP server
XSR/VPN Gateway
XSR/Central site tunnel server