Vpn Applications - Enterasys Security Router X-PeditionTM User Manual

VPN Applications

This feature specifies whether the router can clear, set, or copy the DF bit in the encapsulating
header. It is available only for IPSec tunnel mode - transport mode is not affected because it does
not have an encapsulating IP header. Typical enterprise DF bit settings include hosts which
perform these roles:
• Use firewalls to block Internet Control Message Protocol (ICMP) "unreachable" errors from
outside the firewall, preventing hosts from learning about the Maximum Transmission Unit
(MTU) size outside the firewall and causing the originating application to eventually fail
• Set the DF bit in packets they send
• Use IPSec to encapsulate packets, reducing the available MTU size because it is too large for
the tunnel's interface. When the encrypted packet header is dropped, along with the DF bit
setting, then large packets are dropped, causing instability and likely failure of the tunnel
If your topology includes hosts which screen knowledge of the available MTU size you can set the
XSR to clear the DF bit and fragment the packet.
Refer to
VPN Applications
The XSR supports the following applications:
• Site-to-Site (Peer-to-Peer) - XSRs establish connections between each other, ANG-1102/1105s,
7000s, or third-node devices via the Internet based on certificates and pre-shared keys. This is
the simplest tunnel to set up but its functionality set is not as rich as a Site-to-Central tunnel.
• Site-to-Central-Site - XSRs, one acting as a central site and the other as a remote site in Client or
Network Extension Mode build links between each other based on pre-shared keys or
certificates. The XSR, working as a central site can also terminate tunnels initiated by
ANG-1102/1105 and 7000s. This type of tunnel offers several advantages over a Site-to-Site
tunnel including:
–
–
–
–
–
• Remote Access - XSR functions as a tunnel server, establishing dial-up connections with clients
over the Internet via local ISPs.
The XSR supports multiple combinations of the above applications and includes auxiliary
functionality such as:
–
–
–
–
–
14-10 Configuring the Virtual Private Network
"XSR with VPN - Central Gateway"
Note: DF bit can be configured globally or per interface. If both levels are configured, Interface will
override Global mode. Also, it is supported on any interface on which VPN can be configured.
RIP or OSPF routing is supported
Tunnel heartbeats are supported
Tunnel failover is consistently supported
Tunnels are more easily scalable in multiple router topologies
Network management is more robust
RADIUS authentication
PKI authentication
NAT traversal
IP address management
DF Bit override on IPSec tunnels
on page 14-36 for a sample configuration.