Manualshelf

User`s guide

ManualsBrandsEnterasys ManualsComputer equipmentANG-3000
271272273274275276277278279280
244 XSR Users Guide
VPN Applications Chapter 11
Configuring the Virtual Private Network
Client Mode
In the Client scenario, a private LAN residing behind the XSR is hidden from
the corporate network. When the XSR connects to the Central site tunnel
server, the tunnel server assigns the router an IP address which can be chosen
from an internal pool kept by the tunnel server or from a DHCP server
located on the corporate network. Hosts residing on the private LAN obtain
IP addresses from a DHCP server running within the XSR.
Each session between a host on the private LAN and a server on the corporate
network is NAT-ed by a NAT device within the XSR. From the corporate
perspective the entire private LAN is represented as a single IP address. This
application is limited in that hosts on the private LAN are not visible from the
corporate network, so any session must be initiated from the hosts on the
private LAN. Another limitation is that the XSR's internal NAT operates only
on Layer-4 protocols such as TCP and UDP. NAT also employs a set of
modules - Application Level Gateway (ALG) - processing non-UDP/TCP
protocols such as ICMP and H323.
Routing updates are unidirectional - the Central site advertises segments
reachable in the corporate network, but the XSR does not advertise the
private LAN. After receiving a routing update, the XSR can leverage a
connection to the Internet for a VPN connection and access public services
located on the Internet such as Web servers.
A secure tunnel to the Central site tunnel server is established by means of
IETF ISAKMP Aggressive Mode with pre-shared keys or Main Mode using
certificates. The assignment of IP addresses requires the support of Config
Mode on the tunnel server and the XSR. Since Config Mode is not
standardized, using it may affect interoperability with third-party devices.
The Client application also supports the XSR’s EZ-IPSec technique and off-
loading administrator. Most configuration is performed on the Central site and
specified values are pushed to the connecting device during tunnel creation.
Network Extension Mode (NEM)
In the Network Extension scenario, as illustrated in Figure 43, the branch
LAN is visible from the corporate segment since addressing used on that
LAN augments addressing used on the corporation network. Hosts located
on the branch LAN obtain IP addresses from the main DHCP server located