beautypg.com

Nortel Networks NN46110-602 User Manual

Page 218

background image

218 Appendix D Configuring for interoperability

NN46110-602

Load Balancing—Traditional load balancers often do not work with the IPsec
protocol because of the security features on individual packets and separate
key management and data channels. The VPN Router has built-in load
balancing features for IPsec client terminations that allow two VPN Router to
load balance and failover connections. This feature works with third-party
clients.

QoS—The Nortel VPN Client is subject to manager-defined QoS policies.
You can reserve connection slots for different classes of user, and you can
assign differing forwarding priorities for their traffic. The VPN Router
preserves Diff-Serv markings for dial tunnels, copying the Diff-Serv Code
Point from the inside packet to the tunnel header.

Advanced attribute definition from the server—On a group-by-group basis,
you can load the client with its tunneled IP address and subnet mask, a
Microsoft domain name, both WINS and DNS servers, a message of the day
and the VPN Router banner. The network manager can also determine access
days and hours, crypto strength, how often the client rekeys, and whether the
client can store a password for the group. It can initiate a password-protected
screen saver if the user leaves the PC, and can log off idle connections. You
can filter traffic in the tunnel based on IP address and/or port number and can
configure to close the tunnel if certain network applications are run. You can
set the tunnel to automatically start when predefined applications or
destinations are accessed, and close when these application are completed.
These features are not available with third-party clients.

Address Assignment—Client-tunneled IP addresses are assigned through a
DHCP server, on a per-group basis from a named pool, through RADIUS
attribute, or statically. The client receives the inner IP address from the
enterprise address space. Third-party remote access clients get their inner
address assigned the same as the outer, which is normally what the ISP
assigns, and is not part of the enterprise address space.

Split Tunneling—On a group-by-group basis, a service provider determines
which IP addresses go into the tunnel and which use the local adapter (for
general Internet access, or local printing/server usage). With third-party
clients, you should enable split tunneling. If disabled, the client must be put
into a group configured to allow undefined networks.

Advanced Security features—The Nortel VPN Client tunnel only accepts
packets originating from the machine on which it is loaded. If attempts are
made to route packets through a VPN Client, the tunnel is closed. When
non-split tunneling is enabled, only packets that have passed through the VPN