Manualshelf

User`s guide

ManualsBrandsEnterasys ManualsComputer equipmentANG-3000
281282283284285286287288289290
XSR Users Guide 249
Chapter 11 VPN Applications
Configuring the Virtual Private Network
Server
FastEthernet 1 interface: This is the trusted side of the network on the
XSR. It may consist of more than one IP segment. A network attached
to FastEthernet 1 will be advertised in an OSPF area.
VPN 1 interface: OSPF is required here to establish adjacency with
connecting clients. From the point of view of OSPF, a set of connected
clients is treated as a point-to-multipoint network. Before exchanging
OSPF packets, the server must separately establish adjacency with each
connected client. If the server cannot establish OSPF adjacency with
them, it will not send OSPF updates to clients.
FastEthernet 2 interface: OSPF must be disabled here because this is the
default, external connection to the Internet. The server should not
receive updates from the Internet nor pass along information about
private segments to the Internet.
Client
VPN 1 interface: OSPF must be enabled on this interface to receive
updates from the server.
FastEthernet 2 interface: OSPF should be disabled here for the same
reason it is disabled on the server.
FastEthernet 1 interface: This is private, non-routable segment, usually
192.168.1.0/24. If OSPF is enabled on this interface it will be advertised
to the server. The server's IP routing table will learn a route to this
segment via the VPN interface connected to the client. But it is
unreachable because NAT is enabled. Be aware that if two clients
advertise the same private segment, e.g., 192.168.1.0/24, the server will
learn two routes, which seem to be the same destination, but in fact are
not. OSPF must then be disabled on F1.
If other clients connecting to the VPN 1 interface on the server do not have
OSPF coverage (i.e., Windows remote access clients), OSPF ignores them and
continues exchanging information with those clients which support OSPF.
On the client, a tunnel associated with interface VPN 1 is created by means of
the XSR’s EZ-IPsec functionality. EZ-IPsec automatically inserts SPDs on
FastEthernet interface 2 which specify that only traffic from and to the IP
address assigned by the server should be encrypted. There is no conflict
between SPDs and OSPF routing on this connection.