Could you please point me to a document with a walk through? I would like to understand a situation when either...
pre-shared keys or certificates are used.
- The station can be pre-configured with a static IP
- The station can use DHCP to lease an IP
- If the AP has a DHCP server, it can supply the IP
- A DHCP server on the AP's Ethernet can supply the IP
- The AP can relay DHCP to a specific DHCP server
Next, let's look at the role of the station's IP address in IPsec. When using pre-shared keys (PSK) in IKE Main Mode, the gateway will find the matching PSK by looking up the station's IP in its security policy database. This works when the station is using a static IP. When the station is using a DHCP-assigned IP, this works only if the same PSK is used for the entire DHCP address pool. Some gateways can support group PSKs; others cannot.
A common alternative is to use PSK in IKE Aggressive Mode. This lets the VPN client's Identity be something other than IP address - usually an e-mail address (User-FQDN). The gateway uses the client's e-mail address to find the matching PSK in its security policy database. Every client can have its own PSK, or several clients can share the same identity and PSK. Group PSKs are frequently used in conjunction with user-level subauthentication - for example, if your gateway uses XAUTH to prompt the client for a username/password after passing IKE authentication with the group PSK.
A much stronger alternative is to use digital certificates instead. Certificates work in IKE Main Mode using either static IPs or something other than IP address as the VPN client's identity. When the certificate is issued, it is bound to the subject's identity - an e-mail address or an X.500 Distinguished Name (a long, structured value that carries organization, location, and the user's first/last name.) The gateway uses the client's identity to see whether this user is allowed to authenticate by certificate, and then uses public key crypto to check the validity of the certificate.
Once the VPN client is authenticated, it must keep the same IP address for the lifetime of the IPsec tunnel. IPsec uses the source IP address on every packet to make sure the authenticated client really sent that packet. So, if the client's IP address changes, it must go through IKE authentication again to create a new IPsec tunnel.
There is one last trick to making IPsec and DHCP work together - letting the station renew its IP address. Depending upon the VPN client and the DHCP server, you may need to define the client's security policy to allow DHCP to pass outside the VPN tunnel, over the WLAN to the AP.
Related Q&A from Lisa Phifer
The enterprise mobility management market for wearable devices is in its infancy, but IT can still use existing EMM tools to manage wearables.continue reading
Wireless expert Lisa A. Phifer explains to what extent WEP cracking remains a worrisome issue. It all depends on your company's WLAN security policy.continue reading
Wireless expert Lisa A. Phifer explains why you shouldn't stop using 802.1X authentication methods for enterprise WLAN access control.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.