- The station can be pre-configured with a static IP.
- The station can use DHCP to lease an IP;
- if the AP has a DHCP server, it can supply the IP.
- a DHCP server on the AP's Ethernet can supply the IP.
- the AP can relay DHCP to a specific DHCP server.
Next, let's look at the role of the station's IP address in IPsec. When using pre-shared keys (PSK) in IKE Main Mode, the gateway will find the matching PSK by looking up the station's IP in its security policy database. This works when the station is using a static IP. When the station is using a DHCP-assigned IP, this works only if the same PSK is used for the entire DHCP address pool. Some gateways can support group PSKs; others cannot.
A common alternative is to use PSK in IKE Aggressive Mode. This lets the VPN client's Identity be something other than IP address -- usually an email address (User-FQDN). The gateway uses the client's email address to find the matching PSK in its security policy database. Every client can have its own PSK, or several clients can share the same identity and PSK. Group PSKs are frequently used in conjunction with user-level sub-authentication -- for example, if your gateway uses XAUTH to prompt the client for a username/password after passing IKE authentication with the group PSK.
A much stronger alternative is to use digital certificates instead. Certificates work in IKE Main Mode using either static IPs or something other than IP address as the VPN client's identity. When the certificate is issued, it is bound to the subject's identity -- an email address or an X.500 Distinguished Name (a long, structured value that carries organization, location, and the user's first/last name.) The gateway uses the client's identity to see whether this user is allowed to authenticate by certificate, and then uses public key crypto to check the validity of the certificate.
Once the VPN client is authenticated, it must keep the same IP address for the lifetime of the IPsec tunnel. IPsec uses the source IP address on every packet to make sure the authenticated client really sent that packet. So, if the client's IP address changes, it must go through IKE authentication again to create a new IPsec tunnel.
There is one last trick to making IPsec and DHCP work together -- letting the station renew its IP address. Depending upon the VPN client and the DHCP server, you may need to define the client's security policy to allow DHCP to pass outside the VPN tunnel, over the WLAN to the AP.
This question was asked at Ask the Experts on SearchNetworking.com.
This was first published in June 2009