Tip

Ensuring wireless connectivity with IPsec-secured access points

Lisa Phifer, Contributing expert
Ensuring the wireless network is functioning correctly allows users to work uninterrupted, so it is important to understand how a wireless client obtains IP addresses on an IPsec-based, secured access point (AP).

Let's

    Requires Free Membership to View

start with how stations get IP addresses:
  1. The station can be pre-configured with a static IP.
  2. The station can use DHCP to lease an IP;
    • if the AP has a DHCP server, it can supply the IP.
    • a DHCP server on the AP's Ethernet can supply the IP.
    • the AP can relay DHCP to a specific DHCP server.

Next, let's look at the role of the station's IP address in IPsec. When using pre-shared keys (PSK) in IKE Main Mode, the gateway will find the matching PSK by looking up the station's IP in its security policy database. This works when the station is using a static IP. When the station is using a DHCP-assigned IP, this works only if the same PSK is used for the entire DHCP address pool. Some gateways can support group PSKs; others cannot.

A common alternative is to use PSK in IKE Aggressive Mode. This lets the VPN client's Identity be something other than IP address -- usually an email address (User-FQDN). The gateway uses the client's email address to find the matching PSK in its security policy database. Every client can have its own PSK, or several clients can share the same identity and PSK. Group PSKs are frequently used in conjunction with user-level sub-authentication -- for example, if your gateway uses XAUTH to prompt the client for a username/password after passing IKE authentication with the group PSK.

A much stronger alternative is to use digital certificates instead. Certificates work in IKE Main Mode using either static IPs or something other than IP address as the VPN client's identity. When the certificate is issued, it is bound to the subject's identity -- an email address or an X.500 Distinguished Name (a long, structured value that carries organization, location, and the user's first/last name.) The gateway uses the client's identity to see whether this user is allowed to authenticate by certificate, and then uses public key crypto to check the validity of the certificate.

Once the VPN client is authenticated, it must keep the same IP address for the lifetime of the IPsec tunnel. IPsec uses the source IP address on every packet to make sure the authenticated client really sent that packet. So, if the client's IP address changes, it must go through IKE authentication again to create a new IPsec tunnel.

There is one last trick to making IPsec and DHCP work together -- letting the station renew its IP address. Depending upon the VPN client and the DHCP server, you may need to define the client's security policy to allow DHCP to pass outside the VPN tunnel, over the WLAN to the AP.

This question was asked at Ask the Experts on SearchNetworking.com.

About the author: Lisa Phifer is president and co-owner of Core Competence, a consulting firm focused on business use of emerging network and security technologies. At Core Competence, Lisa draws upon her 27 years of network design, implementation and testing experience to provide a range of services, from vulnerability assessment and product evaluation to user education and white paper development. She has advised companies large and small regarding the use of network technologies and security best practices to manage risk and meet business needs. Lisa teaches and writes extensively about a wide range of technologies, from wireless/mobile security and intrusion prevention to virtual private networking and network access control. She is also a site expert to SearchMobileComputing.com and SearchNetworking.com.


This was first published in June 2009

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.