Client Gateways
Previous Top Next

An IPSEC VPN Client Gateway is an IPSEC capable device that is designed to support Client based connectivity. Unfortunately, manually configuring key information is highly undesirable and the IKE Protocol was not originally designed to offer this style of operation.

The relationship between IPSEC Peers was defined as one of equal standing. Both Peers provide identities that are verified and credentials that are authenticated. This is referred to as Mutual Authentication. The key bit of missing information here is that devices are identified and authenticated, but not the users that may be operating them. While this behavior may be ideal for Peers that facilitate site to site communications, it is impractical when supporting a large number of mobile devices. When you consider the operation of these devices is almost purely user motivated, it is also difficult to ensure that the data being transmitted is both authentic and secure.

For these reasons, several extensions to the protocol have been proposed to extend the functionality of IKE.

Configuration Transaction Exchange ( or Mode-Cfg )
This extension was devised to exchange information before negotiating non-ISAKMP SA's ( after phase1 and before phase2 ). This is accomplished by defining a new Exchange type where attributes values may be requested from the Peer. This can be used for purposes such as obtaining an IP address and subnet mask from a gateway for client style operation.

Extended Authentication ( or Xauth )
This extension is based on the Configuration Transaction Exchange. It was devised to accommodate legacy mode user based authentication. Mutual authentication is still required as the additional authentication can only occur after the ISAKMP SA ( phase1 ) has been established.

Hybrid Authentication
This extension is based on the Configuration Transaction Exchange and Extended Authentication. It was devised to offer legacy mode user based authentication without requiring full Mutual Authentication. This is accomplished by simply not authenticating one of the two Peers when attempting to establish the ISAKMP SA ( phase 1 ). The Peer is later required to pass Extended Authentication to validate the user credentials before allowing IPSEC SAs ( phase 2 ) to be negotiated.

Dead Peer Detection ( or DPD )
This extension is based on the ISAKMP Informational  Exchange type and provides a method of detecting when a peer is no longer responsive. The Client accomplishes this by submitting and responding to periodic DPD requests. If a Gateway fails to respond to these requests within a certain time period, the connection is considered closed and the user is notified.

All extensions listed above are supported by both the ipsec-tools racoon daemon and the Shrew Soft VPN Client.