Site-To-Site Networks; Site-To-Central-Site Networks; Nat Traversal - Enterasys Security Router X-PeditionTM User Manual

Site-to-Site Networks

Site-to-site tunnels run as point-to-point links. They are useful when connecting geographically
dispersed network segments where each segment contains servers and hosts. VPN tunnels play
the role of point-to-point links and are transparent from a routing perspective.
Figure 14-5 shows a link between two XSR sites, but this architecture can be extended to link many
sites by creating a mesh topology. While it is extremely flexible for mesh networks, site-to-site is
also useful within a hub-and-spoke topology.
VPN gateways terminating a tunnel cannot run routing protocols, therefore must solely rely on
static routes. Only packets destined for networks behind the peer will be encrypted and shipped
via a tunnel. Other traffic will either be dropped or forwarded to the Internet depending on your
security policy.
Authentication for IPSec tunnels can be performed using pre-shared keys or certificates.
Authentication using pre-shared keys is acceptable in this application because the number of
connected peers is relatively small.
This type of tunnel follows IETF standards and is interoperable with other vendors' devices. The
IPSec portion of a GRE/IPSec tunnel is this type of Peer-to-Peer/Site-to-Site configuration. Refer
to "Configuring a Simple VPN Site-to-Site Application"
Examples" on page 14-36 for detailed Site-to-Site setups.

Site-to-Central-Site Networks

In a Site-to-Central-Site application, tunnel nodes are not equivalent. One node initiates a tunnel,
the other accepts it. In practice, the initiating node represents the smaller client entity and connects
to the bigger corporate network through the server.

NAT Traversal

Since the connection is always initiated by the client site, it can reside behind an ISP-operated
NAT device. But, the presence of NAT requires the IPSec feature known as NAT traversal since
routers/VPN gateways which terminate tunnels cannot reside behind a NAT device because
external addresses must be valid, routable addresses. This factors into a site-to-site tunnel scenario
where both XSRs play an equivalent role and any VPN gateway can initiate a tunnel.
Beginning with Release 7.0, the XSR supports NAT traversal according to draft-ietf-ipsec-nat-t-ike-
02. The XSR sends IKE messages from UDP port 4500 when 1), a NAT device is present between
IKE peers and 2), the peer has implemented draft-ietf-ipsec-nat-t-ike-02.
Figure 14-5 VPN Site-to-Site Topology
XSR/
VPN Gateway
Routing
updates
Internet
VPN tunnel
Routing
updates
on page 14-32 and
VPN Applications
XSR/
VPN Gateway
"Configuration
XSR User's Guide 14-11