Nortel BayStack Instant Internet 100-S Using Manual page 184

184 Chapter 6 IP security and VPN
• For branch-to-branch mode, at least one public, static IP address must be
available at both the location of the CES and of the Instant Internet unit.
Only the CES branch office routing type of "static" is supported; RIP mode
works only between CESs.
A branch office connection configured on a CES must not have a remote
endpoint address which is reachable on any of the local subnets on that CES.
There must be at least one router between the CES and the branch office
router.
CES does not allow the remote endpoint to be included in the remotely
available networks.
• For client mode, because all traffic must be translated to the static address that
was assigned on Contivity, the static address must exist on Instant Internet.
Often, the static address is the same as Instant Internet's private LAN address.
If the address is not the same, create an alias interface on Instant Internet and
assign the static address to that alias.
Set the default network to the interface that has the static address, and enable
output NAT on the IPsec interface. This translates all packets leaving the
IPsec interface (before they are encrypted and encapsulated) to have that
interface's address as a source. (Alternatively, input NAT can be configured
on the private LAN interface.)
Another router bordering CES must provide a route to Instant Internet's
public address. Proxy ARP can be used if Instant Internet's default network
address is valid on the CES private network.
There are no restrictions on the connection medium used by the Instant Internet
unit. The unit supports IPsec on any type of available interface (including a LAN
connection to another router).
Instant Internet does not support certificates. Only pre-shared keys can be used for
authentication. On Instant Internet, the name of the IPsec interface must match the
user ID that was created on Contivity.
300868-G