04-12-2003 03:16 PM - edited 02-21-2020 12:28 PM
Hi
I am trying to understand how a VPN client negotiates DHCP before a IPSec tunnel is setup.
1) is the dhcp request send in the clear?
2) how about logon?
Could you please point me to a trace/doc that will show the stages and exchanges before tunnel negotiation commences.
Thanks in advance
Matt K
04-12-2003 04:43 PM
Hi,
VPN client doesn't neogtiatte any IP address "before" vpn tunnel is setup, it happens during the IKE phase I and IKE phase II negotiation ,so basically its part of IKE, and the procedure is knows as MODE CONFIG. This doesn't happen in cleartext.
The headend device (e.g., vpn3000/IOS/PIX) assigns IP address to the incoming vpn client, so that the client machine appears directly sitting on the Internal network (offcourse through the tunnel).
If you have a vpn client and a concentrator, and you want to observe it closely, you can turn on IKE/IKEDBG/IPSec/IPSecDBG/AUTH/AUTHDBG, with seveirty level set to 1-10, and it will show each and every step that a client -to- concentrator go through to successfully negotiate a VPN tunnel.
Let me know, if it answers your Q.
Thx
Afaq
04-14-2003 03:02 PM
Thanks Afaq
Are you saying that it is static? Is dhcp not possible?
I also did a mode-config search an saw the following for vpn client config
I can figure out how this static configuration will support roaming from one subnet to another - COuld you help please?
1- Myconn
My Identity = ip address << IS THIS MANUALLY CONFIGURED
Connection security: Secure
Remote Party Identity and addressing
ID Type: IP subnet
10.2.2.0 << IS THIS MANUALLY CONFIGURED
Port all Protocol all
Connect using secure tunnel
ID Type: IP address
201.70.32.101 << IS THIS MANUALLY CONFIGURED
Thanks
Matt K
04-16-2003 03:51 AM
Hi Matt
IP address, that is given to remote VPN client during IKE Mode Config negotiation is an inner IP address encapsulated under IPSec. This provides a known IP address for a VPN client, under which this client is presented to the internal corporate network. This IP address is independent from the IP address given by ISP. So roaming is fulfilled by means different IP addresses given by ISP.
Regards, Andriy Lysyuk.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide