Vyatta NOS documentation

Learn how to install, configure, and operate Vyatta Network Operating System (Vyatta NOS), which helps to drive our virtual networking and physical platforms portfolio.

IPsec RA VPN server (Vyatta NOS)

An overview of how the IPsec RA VPN server works within Vyatta NOS.

The request and assignment of virtual IPs is the major difference between IPsec site-to-site VPN and IPsec RA VPN setups from IKE perspective. Everything else, including ESP, is identical.

  • Each IPsec RA VPN server instance has a dedicated virtual IP address pool, which must not overlap with other server address pools.
  • During the initial VPN tunnel negotiation, the RA VPN server assigns a virtual IP address to the client. After the client disconnects, the server releases this address.
  • As part of the initial VPN tunnel negotiation the IPsec RA VPN server can also provide DNS server addresses which the client should use inside the VPN.

Each time a client connects the server will first perform a basic integrity check of the provided client certificate. This asks:

  • Is the certificate expired?
  • Is the certificate issued by a trusted CA?

Finally, the server will perform a certificate revocation check via OCSP or CRL. This is to check the certificate against the central CA database of revoked certificates.

With X.509 authentication, certificate revocation is the only way to revoke VPN access for an individual client. The server can force the client to perform an IKE re-authentication within a certain time window, to enforce expiration or revocation of VPN client access.

Figure 1. Certificate revocation check.

In this particular topology the Virtual IP 10.100.0.3 is assigned to Client 3 as part of the IKE SA negotiation. This will influence the child SA negotiation by the server, which proposes this traffic selector:

(local) 172.16.1.0/24  === (remote) 10.100.0.3/32

The result of which is a destination route installation for 10.100.0.3/32 on the RA VPN server via the dataplane interface used for the IKE negotiation. Also, a pair of IPsec SAs and an individual pair of IPsec policies is installed. The result after the complete VPN negotiation is that Home User may connect to Web Services on the Corporate Network.