An overview of how the IPsec RA VPN server works within Vyatta NOS.

The request and assignment of virtual IPs is the major difference between IPsec site-to-site VPN and IPsec RA VPN setups from IKE perspective. Everything else, including ESP, is identical.

• Each IPsec RA VPN server instance has a dedicated virtual IP address pool, which must not overlap with other server address pools.
• During the initial VPN tunnel negotiation, the RA VPN server assigns a virtual IP address to the client. After the client disconnects, the server releases this address.
• As part of the initial VPN tunnel negotiation the IPsec RA VPN server can also provide DNS server addresses which the client should use inside the VPN.

Each time a client connects the server will first perform a basic integrity check of the provided client certificate. This asks:

• Is the certificate expired?
• Is the certificate issued by a trusted CA?

Finally, the server will perform a certificate revocation check via OCSP or CRL. This is to check the certificate against the central CA database of revoked certificates.

With X.509 authentication, certificate revocation is the only way to revoke VPN access for an individual client. The server can force the client to perform an IKE re-authentication within a certain time window, to enforce expiration or revocation of VPN client access.