Ensuring wireless connectivity with IPsec-secured access points

Understanding how a wireless client obtains IP addresses on an IPsec-based secured access point ensures the wireless network is functioning correctly, which means users can work uninterrupted.

Ensuring the wireless network is functioning correctly allows users to work uninterrupted, so it is important to understand how a wireless client obtains IP addresses on an IPsec-based, secured access point (AP).

Let's start with how stations get IP addresses:

  1. The station can be pre-configured with a static IP.
  2. The station can use DHCP to lease an IP;
    • if the AP has a DHCP server, it can supply the IP.
    • a DHCP server on the AP's Ethernet can supply the IP.
    • the AP can relay DHCP to a specific DHCP server.

Next, let's look at the role of the station's IP address in IPsec. When using pre-shared keys (PSK) in IKE Main Mode, the gateway will find the matching PSK by looking up the station's IP in its security policy database. This works when the station is using a static IP. When the station is using a DHCP-assigned IP, this works only if the same PSK is used for the entire DHCP address pool. Some gateways can support group PSKs; others cannot.

A common alternative is to use PSK in IKE Aggressive Mode. This lets the VPN client's Identity be something other than IP address -- usually an email address (User-FQDN). The gateway uses the client's email address to find the matching PSK in its security policy database. Every client can have its own PSK, or several clients can share the same identity and PSK. Group PSKs are frequently used in conjunction with user-level sub-authentication -- for example, if your gateway uses XAUTH to prompt the client for a username/password after passing IKE authentication with the group PSK.

A much stronger alternative is to use digital certificates instead. Certificates work in IKE Main Mode using either static IPs or something other than IP address as the VPN client's identity. When the certificate is issued, it is bound to the subject's identity -- an email address or an X.500 Distinguished Name (a long, structured value that carries organization, location, and the user's first/last name.) The gateway uses the client's identity to see whether this user is allowed to authenticate by certificate, and then uses public key crypto to check the validity of the certificate.

Once the VPN client is authenticated, it must keep the same IP address for the lifetime of the IPsec tunnel. IPsec uses the source IP address on every packet to make sure the authenticated client really sent that packet. So, if the client's IP address changes, it must go through IKE authentication again to create a new IPsec tunnel.

There is one last trick to making IPsec and DHCP work together -- letting the station renew its IP address. Depending upon the VPN client and the DHCP server, you may need to define the client's security policy to allow DHCP to pass outside the VPN tunnel, over the WLAN to the AP.

This question was asked at Ask the Experts on SearchNetworking.com.

Lisa Phifer, Contributing expert
About the author: Lisa Phifer is president and co-owner of Core Competence, a consulting firm focused on business use of emerging network and security technologies. At Core Competence, Lisa draws upon her 27 years of network design, implementation and testing experience to provide a range of services, from vulnerability assessment and product evaluation to user education and white paper development. She has advised companies large and small regarding the use of network technologies and security best practices to manage risk and meet business needs. Lisa teaches and writes extensively about a wide range of technologies, from wireless/mobile security and intrusion prevention to virtual private networking and network access control. She is also a site expert to SearchMobileComputing.com and SearchNetworking.com.


This was first published in June 2009

Dig deeper on Internet and application security

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchNetworking

SearchUnifiedCommunications

SearchTelecom

SearchSDN

Close