The original IKE protocol standard defined the relationship between two hosts as peers of equal standing. Both peers provide identities that are verified and credentials that are authenticated. This is referred to as Mutual Authentication. While this behavior may be ideal for peers that facilitate site to site communications, it is impractical when supporting a large number of mobile devices that connect to a central gateway. Because most aspects of a mobile device configuration can be altered by the operator, it is difficult to authenticate a client's identity without introducing a more user-centric authentication mechanism. It is also desirable to centrally manage aspects of the remote client operation without requiring user intervention. For this reason, several IKE and IPsec protocol extensions were proposed to improve support for client to gateway functionality and to deal with with evolving TCP/IP technologies such as Network Address Translation.
VPN Client Gateway Extensions
An IPsec VPN Client Gateway is an IPsec capable device that implements one or more protocol extensions designed to support client connectivity. The following protocol extensions are supported by both the Shrew Soft VPN Client and the ipsec-tools racoon daemon.
Configuration Exchange
This extension, also known as Mode Config, was devised to exchange information before negotiating IPsec SA's ( after Phase 1 and before Phase 2 ). This is accomplished by defining a new exchange type where attributes values may be offered or requested by a client or a gateway. This exchange can be used for purposes such as obtaining an IP address, subnet mask, DNS settings or private network topology information from a gateway.
Extended Authentication
This extension, also known as XAuth, is based on the Configuration Exchange. It was devised to accommodate user-based authentication. Mutual authentication is still required as the extended authentication occurs after an ISAKMP SA ( Phase 1 ) has been established.
Hybrid Authentication
This extension is based on the Configuration Exchange and Extended Authentication. It was devised to offer user-based authentication without requiring full Mutual Authentication. This is accomplished by simply not authenticating one of the two Peers when attempting to establish the ISAKMP SA ( Phase 1 ). The Peer is later required to pass Extended Authentication to validate the user credentials before allowing IPsec SAs ( Phase 2 ) to be negotiated.
Dead Peer Detection
This extension, also known as DPD, is based on the ISAKMP Informational exchange and provides a method of detecting when a peer is no longer responsive. This is accomplished by submitting and responding to periodic DPD requests. If a Peer fails to respond within a certain time period, all associated SAs are normally considered dead.
Additional Extensions
When using a security protocol to perform message authentication or encryption, packets can often grow to be larger that the Maximum Transmission Unit ( "MTU" ) for a given network path or gateway interface. This is due to the overhead associated with including additional protocol headers and performing packet encapsulation. Some routers may refuse to fragment or forward certain packets if it they are larger than an arbitrary size. Other routers may drop packet fragments even if they are an acceptable size for the given interface MTU. Finally, it is very common for problems to occur when a router that performs Network Address Translation ( "NAT" ) exists between two IPsec peers. The following protocol extensions are supported by both the Shrew Soft VPN Client and the ipsec-tools racoon daemon.
IKE Fragmentation
In some instances, key exchange packets can be large which will lead to packet loss as described above. By using an extension to the IKE protocol, it is possible for IPsec Peers to exchange large packets even when a trouble router exists between them.
NAT Traversal
Almost all personal firewall appliances employ NAT as a means for multiple devices to share a single Internet connection. By using extensions to the IKE and ESP protocols, it is possible for IPsec Peers to exchange packets even when a NAT device exists between them.
The Open Source edition of the Shrew Soft VPN Client requires that the kernel support IPsec NAT Traversal at the OS level. Please consult your operating system documentation for more details.