Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
275
Views
0
Helpful
3
Replies

negotiating DHCP in IOS IPSec VPN

mattkaya
Level 1
Level 1

‎04-12-2003 03:16 PM - edited ‎02-21-2020 12:28 PM

Hi

I am trying to understand how a VPN client negotiates DHCP before a IPSec tunnel is setup.

1) is the dhcp request send in the clear?

2) how about logon?

Could you please point me to a trace/doc that will show the stages and exchanges before tunnel negotiation commences.

Thanks in advance

Matt K

Labels:
0 Helpful
3 Replies 3

afakhan
Level 4
Level 4

‎04-12-2003 04:43 PM

Hi,

VPN client doesn't neogtiatte any IP address "before" vpn tunnel is setup, it happens during the IKE phase I and IKE phase II negotiation ,so basically its part of IKE, and the procedure is knows as MODE CONFIG. This doesn't happen in cleartext.

The headend device (e.g., vpn3000/IOS/PIX) assigns IP address to the incoming vpn client, so that the client machine appears directly sitting on the Internal network (offcourse through the tunnel).

If you have a vpn client and a concentrator, and you want to observe it closely, you can turn on IKE/IKEDBG/IPSec/IPSecDBG/AUTH/AUTHDBG, with seveirty level set to 1-10, and it will show each and every step that a client -to- concentrator go through to successfully negotiate a VPN tunnel.

Let me know, if it answers your Q.

Thx

Afaq

0 Helpful

mattkaya
Level 1
Level 1
In response to afakhan

‎04-14-2003 03:02 PM

Thanks Afaq

Are you saying that it is static? Is dhcp not possible?

I also did a mode-config search an saw the following for vpn client config

I can figure out how this static configuration will support roaming from one subnet to another - COuld you help please?

1- Myconn

My Identity = ip address << IS THIS MANUALLY CONFIGURED

Connection security: Secure

Remote Party Identity and addressing

ID Type: IP subnet

10.2.2.0 << IS THIS MANUALLY CONFIGURED

Port all Protocol all

Connect using secure tunnel

ID Type: IP address

201.70.32.101 << IS THIS MANUALLY CONFIGURED

Thanks

Matt K

0 Helpful

a.lysyuk
Level 1
Level 1
In response to mattkaya

‎04-16-2003 03:51 AM

Hi Matt

IP address, that is given to remote VPN client during IKE Mode Config negotiation is an “inner” IP address encapsulated under IPSec. This provides a known IP address for a VPN client, under which this client is presented to the internal corporate network. This IP address is independent from the IP address given by ISP. So roaming is fulfilled by means different IP addresses given by ISP.

Regards, Andriy Lysyuk.

0 Helpful
Customers Also Viewed These Support Documents