Could you please point me to a document with a walk through? I would like to understand a situation when either...
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
pre-shared keys or certificates are used.
- The station can be pre-configured with a static IP
- The station can use DHCP to lease an IP
- If the AP has a DHCP server, it can supply the IP
- A DHCP server on the AP's Ethernet can supply the IP
- The AP can relay DHCP to a specific DHCP server
Next, let's look at the role of the station's IP address in IPsec. When using pre-shared keys (PSK) in IKE Main Mode, the gateway will find the matching PSK by looking up the station's IP in its security policy database. This works when the station is using a static IP. When the station is using a DHCP-assigned IP, this works only if the same PSK is used for the entire DHCP address pool. Some gateways can support group PSKs; others cannot.
A common alternative is to use PSK in IKE Aggressive Mode. This lets the VPN client's Identity be something other than IP address - usually an e-mail address (User-FQDN). The gateway uses the client's e-mail address to find the matching PSK in its security policy database. Every client can have its own PSK, or several clients can share the same identity and PSK. Group PSKs are frequently used in conjunction with user-level subauthentication - for example, if your gateway uses XAUTH to prompt the client for a username/password after passing IKE authentication with the group PSK.
A much stronger alternative is to use digital certificates instead. Certificates work in IKE Main Mode using either static IPs or something other than IP address as the VPN client's identity. When the certificate is issued, it is bound to the subject's identity - an e-mail address or an X.500 Distinguished Name (a long, structured value that carries organization, location, and the user's first/last name.) The gateway uses the client's identity to see whether this user is allowed to authenticate by certificate, and then uses public key crypto to check the validity of the certificate.
Once the VPN client is authenticated, it must keep the same IP address for the lifetime of the IPsec tunnel. IPsec uses the source IP address on every packet to make sure the authenticated client really sent that packet. So, if the client's IP address changes, it must go through IKE authentication again to create a new IPsec tunnel.
There is one last trick to making IPsec and DHCP work together - letting the station renew its IP address. Depending upon the VPN client and the DHCP server, you may need to define the client's security policy to allow DHCP to pass outside the VPN tunnel, over the WLAN to the AP.
Dig Deeper on Wireless LAN Implementation
Related Q&A from Lisa Phifer
Whether you need a basic open source mobile device management tool for your company's Apple or Android devices, or something more customized, you ...continue reading
Advancements in 4G LTE networks improved the security of cellular data transmission, but it still varies wildly from network to network.continue reading
The enterprise mobility management market for wearable devices is in its infancy, but IT can still use existing EMM tools to manage wearables.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.