Client VPN Gateways

An IPsec VPN Client Gateway is an IPsec capable device that is designed to support client based connectivity. Unfortunately, manually configuring key information is highly undesirable and the IKE Protocol was not originally designed to offer this style of operation.

The relationship between IPsec Peers is defined as one of equal standing. Both Peers provide identities that are verified and credentials that are authenticated. This is referred to as Mutual Authentication. While this behavior may be ideal for Peers that facilitate site to site communications, it is impractical when supporting a large number of mobile devices. Because most aspects of a mobile device configuration can be altered by the operator, it is difficult to ensure that an identity is authentic without introducing a more user-centric authentication mechanism. It is also desirable to have the ability to centrally manage aspects of the remote device operation without user intervention.

For these reasons, several extensions to the protocol have been proposed to extend the functionality of IKE.

Related Protocol Extensions

Configuration Exchange - This extension, also known as Mode Config, was devised to exchange information before negotiating non-ISAKMP SA's ( after Phase 1 and before Phase 2 ). This is accomplished by defining a new exchange type where attributes values may be offered or requested by a Peer. This can be used for purposes such as obtaining an IP address, subnet mask, DNS settings or private network topology information from a gateway.

Extended Authentication - This extension, also known as XAuth, is based on the Configuration Exchange. It was devised to accommodate user-based authentication. Mutual authentication is still required as the additional authentication can only occur after the ISAKMP SA ( Phase 1 ) has been established.

Hybrid Authentication - This extension is based on the Configuration Exchange and Extended Authentication. It was devised to offer user-based authentication without requiring full Mutual Authentication. This is accomplished by simply not authenticating one of the two Peers when attempting to establish the ISAKMP SA ( Phase 1 ). The Peer is later required to pass Extended Authentication to validate the user credentials before allowing IPsec SAs ( Phase 2 ) to be negotiated.

Dead Peer Detection - This extension, also known as DPD, is based on the ISAKMP Informational  exchange and provides a method of detecting when a peer is no longer responsive. This is accomplished by submitting and responding to periodic DPD requests. If a Peer fails to respond within a certain time period, all associated SAs are normally considered dead.

All extensions listed above are supported by both the ipsec-tools racoon daemon and the Shrew Soft VPN Client.

Copyright 2010, Shrew Soft Inc