Summary


As workforces become increasingly mobile in nature, so does the need to gain secure network access from a varying physical locations. Dynamic peers allow network administrators to ensure network connectivity when remote network peers are either not known in advance or change to an unknown value over time. Dynamic peers also require less administrative effort than do static peers. Dynamically IPSec peer addressing has therefore become an increasingly popular design alternative in many large-scale enterprise IPSec VPN designs and in RAVPN designs. In this chapter, we have discussed the design issues that arise when supporting dynamically addressed peers in an IPSec VPN design, including:

  • Added support within ISAKMP for dynamically addressed peers

  • Impact of dynamically addressed peers on the routed infrastructure

  • Security considerations for dynamically addressed peers

We have also discussed the added features for addressing these fundamental design considerations, including the use of dynamic crypto maps, tunnel endpoint discovery, IKE Extended Authentication (x-auth), and IKE Mode Config. Effective IPSec VPN designs that employ the use of dynamically addressed peers commonly use many of these solution components.

Dynamic crypto maps are central to the support of dynamically addressed peers, since no manual specification of a peer within the dynamic crypto map configuration is required. The chapter covers the use of dynamic crypto maps in IPSec headend configurations in extranet deployments and in large-scale branch and SOHO deployments. When a dynamic crypto map is used in conjunction with a static crypto map on the remote IPSec endpoint, only the remote IPSec VPN endpoint can initiate the negotiation of the IPSec VPN tunnel unless TED is used. TED allows an IPSec VPN endpoint such as the one described above to dynamically discover its remote IPSec VPN tunnel endpoint through the exchange of TED probes.

The changes brought forward by IKE Extended Authentication (x-auth) can be used to provide more granularity when authenticating a dynamically addressed peer. IKE x-auth occurs in addition to the negotiation of IKE itself and is very effective at eliminating group eviction difficulties that commonly arise from authenticating IKE with wildcard preshared keys. Refer to the previous discussion of IKE wildcard preshared keys for more discussion on this very important design consideration. IKE Mode Config can be used to assign a remote IPSec VPN endpoint various configuration elements, including the remote IPSec VPN endpoint's IP address, as part of IKE Phase 1 negotiation.




IPsec Virtual Private Network Fundamentals
IPSec Virtual Private Network Fundamentals
ISBN: 1587052075
EAN: 2147483647
Year: N/A
Pages: 113

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net