Vyatta NOS documentation

Learn how to install, configure, and operate Vyatta Network Operating System (Vyatta NOS), which helps to drive our virtual networking and physical platforms portfolio.

Overview of the IPsec RA VPN use case

The original intent for IPsec remote access VPN was for endpoint-to-security-gateway deployments — also known as 'road warrior VPNs'. The typical scenario is multiple or many clients/spokes and one or several servers/hubs.

From the perspective of IKEv2/IPsec protocol usage, IPsec RA VPN deployments are very similar to IPsec site-to-site VPN deployments, but with two essential differences:

  • The IPsec RA VPN client initiates the connection/IKE exchange (the server can still initiate a re-key event)
  • The IPsec RA VPN client — referred to as 'IRAC' in specification RFC7296must request an internal address that it will use on the remote network
    • We refer to this 'internal address' as the 'virtual IP (VIP)' address
    • This is done via the IKEv2 Configuration payload (RFC7296), which enables the RA VPN server to provide the internal DNS server address to the client
Figure 1. Remote access network topology example. Remote access between three clients and a remote access server at the site Office 1.