[VPN] Re: IPsec VPNs incl. modecfg vs. DHCP

[Scott G. Kelly]

I'll take a shot at answering this. Comments inline below...

BSingh at Nomadix.com wrote:
> 
> Posting again due to bad format last time.
> ------------------------------------------
> 
> I have a few clarifications regarding usage of IPsec for VPNs. I have been
> even going through the thread of Modecfg vs. DHCP and seem a little confused
> regarding the functionality.
> 
> - This particular debate of Modecfg vs. DHCP relates only to remote access
> scenarios or does it extend to address management for site-to-site VPNs. I
> would distinguish the 2 using the following definitions- One tunnel per
> machine and address to be given out (whichever way - modecfg or DHCP) at
> tunnel setup time would be Remote Access. Site-to-site would be that tunnel
> is setup apriori between 2 gateways and both sides would be different
> private subnets. Users in site-to-site VPNs get addresses typically from
> their own subnet's DHCP servers. Please correct me if I am wrong..

This is probably a reasonable attempt at a definition, but it leaves out
remote access scenarios where a personal security gateway is at the
remote end. Also, remote access users do not *necessarily* need address
assignment, but this is often done to simplify windows networking tasks
via the vpn. 
 
> - Is it also possible that in a site-to-site VPN the address allocation is
> handled by only one of the private networks (subnets). i.e.. DHCP is
> tunneled over to this network from all other private networks and responses
> tunneled back? Is it a typical setup? Is the discussion of modecfg vs. DHCP
> relevant in this case? I assume that their might be some routing issues in
> this setup for tunneling the responses back to the DHCP requesters through
> the right tunnels. Maybe some state maintenance at the gateways.

I've never seen this attempted, but that doesn't mean it won't be done.
Obvious issues result if connectivity is lost at renewal time. I have
seen it done in telecommuter scenarios where the user has a small
network behind a personal sgw, but again, there are issues if
connectivity is lost and lease times are small. This can be resolved by
having a lightweight dhcp server on the personal sgw which doles out
short-lived config when the tunnel is down, and forwards dhcp through
the tunnel when it is up. Modecfg doesn't seem to make much sense in
such scenarios.

> - Typical IPsec implementations. Most of them are bump in the stack
> (software ones).. Am I correct? Does it mean that IP routing is the only way
> to direct traffic into the right tunnels? i.e. destination address based.
> Are their any implementations that do not follow this paradigm. Any pointers
> would be helpful.

I'll leave this one for someone else to answer...

Scott