Overview of the IPsec RA VPN use case
The original intent for IPsec remote access VPN was for endpoint-to-security-gateway deployments — also known as 'road warrior VPNs'. The typical scenario is multiple or many clients/spokes and one or several servers/hubs.
From the perspective of IKEv2/IPsec protocol usage, IPsec RA VPN deployments are very similar to IPsec site-to-site VPN deployments, but with two essential differences:
- The IPsec RA VPN client initiates the connection/IKE exchange (the server can still initiate a re-key event)
- The IPsec RA VPN client — referred to as 'IRAC' in specification RFC7296 — must request an internal address that it will use on the remote network
- We refer to this 'internal address' as the 'virtual IP (VIP)' address
- This is done via the IKEv2 Configuration payload (RFC7296), which enables the RA VPN server to provide the internal DNS server address to the client