Manualshelf

User`s guide

ManualsBrandsEnterasys ManualsComputer equipmentANG-3000
271272273274275276277278279280
246 XSR Users Guide
VPN Applications Chapter 11
Configuring the Virtual Private Network
Depending on the protocol, the remote access scenario may require user
authentication as well as machine authentication. A user database may be
located on the XSR itself or a RADIUS server. After a tunnel has been built,
the XSR may advertise routing information about the corporate network to
the client which can use this information to share a connection to the Internet
between secure tunnel and reach public services on the Internet.
XSR performs as a tunnel server, its role to authenticate connecting clients
and assign them IP addresses. Authentication can be performed in several
ways depending on the protocol used.
For PPTP, authentication is achieved by means of PPP-based authentication
methods such as MS-CHAP, EAP, PAP, and CHAP. It should be noted that
some of these methods are not secure because password and user IDs traverse
the Internet in clear-text. In the case of PPTP, the machine is not authenticated.
With L2TP over IPSec, before an L2TP connection can be established between
a client and the XSR, an IPSec connection must be created. The IPSec
connection is authenticated based on certificates installed on the connecting
device and in the XSR or pre-shared keys.
User authentication is PPP-based, but since the L2TP session is protected by
IPSec, any form of PPP authentication is secure.
Using OSPF Over a VPN Network
OSPF functions on the XSR to dynamically discover networks and adjust the
routing table when network connections fail. The VPN protocol provides
secure packet transport over the public network by the use of cryptographic
policies attached to XSR interfaces which secure selected flows of traffic.
When OSPF and VPN protocols are both employed over a network,
contradictions may arise. For example, OSPF may advertise that a particular
network segment is reachable but VPN policies may prohibit traffic destined
for that segment.
To avoid this problem, you must use care when configuring both protocols.
The following sections describe different VPN scenarios and how OSPF is
employed within them.