home

White papers

Getting startedOverviewArchitectureSupported platformsRelease notesWhite papers
Getting startedOverviewArchitectureSupported platformsRelease notesWhite papers

Vyatta documentation

Learn how to install, configure, and operate the Vyatta Network Operating System (Vyatta NOS) and Orchestrator, which help drive our virtual networking and physical platforms portfolio.

Show On this page:

thumbnailWhite papers

IPsec use case: Remote access VPN (RA VPN)

Overview of the IPsec RA VPN use case

The original intent for IPsec remote access VPN was for endpoint-to-security-gateway deployments — also known as 'road warrior VPNs'. The typical scenario is multiple or many clients/spokes and one or several servers/hubs.

From the perspective of IKEv2/IPsec protocol usage, IPsec RA VPN deployments are very similar to IPsec site-to-site VPN deployments, but with two essential differences:

  • The IPsec RA VPN client initiates the connection/IKE exchange (the server can still initiate a re-key event)
  • The IPsec RA VPN client — referred to as 'IRAC' in specification RFC7296must request an internal address that it will use on the remote network
    • We refer to this 'internal address' as the 'virtual IP (VIP)' address
    • This is done via the IKEv2 Configuration payload (RFC7296), which enables the RA VPN server to provide the internal DNS server address to the client
Figure 1. Remote access network topology example. Remote access between three clients and a remote access server at the site Office 1.

Last updated: June 28, 2022

Related Articles: