IPsec RA VPN client behaviors that are not specific to the Vyatta NOS implementation.

We configure the IPsec RA VPN client with the address or DNS name of one or more IPsec RA VPN servers. However, to establish a connection, the client can initiate an IKE exchange with only one server at a time — it can't try multiple servers all at the same time and then choose one.

When you use X.509 certificate-based authentication, the client will receive each server's end-entity/host certificate, which the locally configured and trusted CA certificate will validate.

Once the initial server certificate verification is complete, and the certificate authority employs a CRL or OCSP revocation mechanism, the VPN client will perform a revocation check using CRL or OCSP. This is to ensure that it does not connect to a malicious server that could be using a compromised or stolen certificate that has been revoked by the certificate authority. To do this, the VPN client must have access to the certificate authority's CRL server or OCSP responder before the devices create the tunnel. Typically, the PKI that public certificate authority vendors provide is accessible via the public internet.

Once the IKE authentication succeeds the client will request a VIP address and install that on the egress interface that it uses for the IKE exchange. The VIP address may be IPv4, IPv6, or both. The client may also receive a VPN internal DNS server address to use for internal DNS lookup.

Depending on the configuration of the client, the Child SA negotiation results in:

• Traffic selectors which match the assigned VIP
• The IPsec RA VPN server remote sub-network (for which it is acting as a security gateway)
• The IPsec RA VPN client installation of a local route for the negotiated remote sub-network