[VPN] IPsec VPNs incl. modecfg vs. DHCP

BSingh at Nomadix.com BSingh at Nomadix.com
Fri Feb 7 12:40:12 EST 2003


Posting again due to bad format last time.
------------------------------------------

I have a few clarifications regarding usage of IPsec for VPNs. I have been
even going through the thread of Modecfg vs. DHCP and seem a little confused
regarding the functionality.

- This particular debate of Modecfg vs. DHCP relates only to remote access
scenarios or does it extend to address management for site-to-site VPNs. I
would distinguish the 2 using the following definitions- One tunnel per
machine and address to be given out (whichever way - modecfg or DHCP) at
tunnel setup time would be Remote Access. Site-to-site would be that tunnel
is setup apriori between 2 gateways and both sides would be different
private subnets. Users in site-to-site VPNs get addresses typically from
their own subnet's DHCP servers. Please correct me if I am wrong..

- Is it also possible that in a site-to-site VPN the address allocation is
handled by only one of the private networks (subnets). i.e.. DHCP is
tunneled over to this network from all other private networks and responses
tunneled back? Is it a typical setup? Is the discussion of modecfg vs. DHCP
relevant in this case? I assume that their might be some routing issues in
this setup for tunneling the responses back to the DHCP requesters through
the right tunnels. Maybe some state maintenance at the gateways. 

- Typical IPsec implementations. Most of them are bump in the stack
(software ones).. Am I correct? Does it mean that IP routing is the only way
to direct traffic into the right tunnels? i.e. destination address based.
Are their any implementations that do not follow this paradigm. Any pointers
would be helpful. 

thanks

-Bik

----------------------------------------------------------------------------
-------------- 
Bik Singh                                   818-575-2518 (Off) 
Research Scientist                      818-597-1502 (Fax) 
Product Development                  31355 Agoura Road 
Nomadix                         Westlake Village, CA 91361 




More information about the VPN mailing list