XSR VPN Features
Server 2
Interfaces Fast/GigabitEthernet 1 and VPN 1
Client
Interfaces Fast/GigabitEthernet 1, VPN 1 and VPN 2.
Limitations
Peer-to-Peer IPSec tunnels are configured without the VPN interface by applying crypto maps to
physical interfaces. In this application, IPSec is treated as a side effect of data transmission through
the interface. Since no virtual interface (VPN1, e.g.) is applied to the IPSec connection, a routing
protocol like OSPF cannot be used.
As mentioned earlier, OSPF may advertise a network's reachability but IPSec policies may deny
access to that network. As a remedy, you may extend the crypto maps attached to interfaces, but
this requires prior knowledge of networks advertised by OSPF, which renders OSPF's dynamic
network discovery useless. In this case, OSPF is used only for monitoring the links and providing
alternate routes in case of link failure.
XSR VPN Features
The XSR supports the following VPN features:
•
Site-to-Site (Peer-to-Peer) application
–
–
–
14-18 Configuring the Virtual Private Network
Figure 14-10
F1
Server 1
VPN 1
F2
IPSec/IKE with pre-shared secrets
IPSec/IKE with certificates (PKI)
EZ-IPSec with PKI or pre-shared secrets:
- Network Extension Mode (NEM)
OSPF Used with Failover
Corporate network
INTERNET
VPN 1
VPN 2
Client
Segment is extension of corporate network
F1
VPN 1
Server 2
F2
F2
F1