User`s guide
XSR User’s Guide 251
Chapter 11 VPN Applications
Configuring the Virtual Private Network
Server
Apply the same settings as in the site-to-site scenario using Client Mode.
OSPF is enabled on F1 and VPN 1 interfaces and is disabled on F2.
Client
Similar to the Client Mode model, OSPF is enabled on VPN 1 and
disabled on FastEthernet 2.
Additionally, OSPF is enabled on FastEthernet 1 because the route to
network FastEthernet 1 should be learned at the central site's network.
The tunnel associated with interface VPN 1 on the client is created by EZ-
IPsec which automatically creates and attaches two sets of SPDs to interface
FastEthernet 2. The first set specifies that traffic to and from the IP address
assigned to the client by the server should be encrypted. The second set’s SPD
specifies that traffic originating from and destined for the segment attached to
FastEthernet 1 should be encrypted.
Network extension mode lets you add more segments attached to interface
F1. If those segments are advertised using OSPF, routes to those segments will
be known at the central site network. But, any traffic destined for those
segments will be dropped because security policy described by crypto maps
prohibits such traffic.
This situation may be addressed by extending crypto maps attached to both
the client and the server. An example of such a network extension is
illustrated in “XSR with VPN - Central Gateway” on page 277, where an
additional segment not directly attached to the client's trusted segment has IP
address 60.60.60.0/24.
NOTE
When OSPF is configured over a NEM tunnel to a central site XSR,
remote access Microsoft clients at the branch XSR must check the “Use
default gateway on remote network” box in the Advanced TCP/IP
Settings dialog in order to reach all subnets. This setting is located in the
Network Connections dialog by clicking Start/Connect To/Show all
connections/Virtual Private Network: <Your Remote Access Dialog>
/Properties/Networking tab/Internet Protocol [TCP/IP) box:
Properties/Advanced.