An IPSEC VPN Client Gateway is an IPSEC capable device that is designed to
support Client based connectivity. Unfortunately, manually configuring key
information is highly undesirable and the IKE Protocol was not originally designed
to offer this style of operation.
The relationship between IPSEC Peers was defined as one of equal standing.
Both Peers provide identities that are verified and credentials that are
authenticated. This is referred to as Mutual Authentication. The key bit of missing
information here is that devices are identified and authenticated, but not the
users that may be operating them. While this behavior may be ideal for Peers
that facilitate site to site communications, it is impractical when supporting a large
number of mobile devices. When you consider the operation of these devices is
almost purely user motivated, it is also difficult to ensure that the data being
transmitted is both authentic and secure.
For these reasons, several extensions to the protocol have been proposed to
extend the functionality of IKE.
Configuration Transaction Exchange ( or Mode-Cfg )
This extension was devised to exchange information before negotiating
non-ISAKMP SA's ( after phase1 and before phase2
). This is
accomplished by defining a new Exchange type where attributes values
may be requested from the Peer. This can be used for purposes such as
obtaining an IP address and subnet mask from a gateway for client style
operation.
Extended Authentication ( or Xauth )
This extension is based on the Configuration Transaction Exchange. It
was devised to accommodate legacy mode user based authentication.
Mutual authentication is still required as the additional authentication can
only occur after the ISAKMP SA ( phase1 ) has been established.
Hybrid Authentication
This extension is based on the Configuration Transaction Exchange and
Extended Authentication. It was devised to offer legacy mode user based
authentication without requiring full Mutual Authentication. This is
accomplished by simply not authenticating one of the two Peers when
attempting to establish the ISAKMP SA ( phase 1 ). The Peer is later
required to pass Extended Authentication to validate the user credentials
before allowing IPSEC SAs ( phase 2 ) to be negotiated.
Dead Peer Detection ( or DPD )
This extension is based on the ISAKMP Informational Exchange type and
provides a method of detecting when a peer is no longer responsive. The
Client accomplishes this by submitting and responding to periodic DPD
requests. If a Gateway fails to respond to these requests within a certain
time period, the connection is considered closed and the user is notified.
All extensions listed above are supported by both the ipsec-tools racoon
daemon and the Shrew Soft VPN Client.