Assigning Dynamic Addresses with IKE Mode Config

Assigning Dynamic Addresses using IKE Mode Config

Overview

IKE Mode Config allows a firewall to download an IP address to a VPN client as part of an IKE negotiation. This IP address is used as an "inner" IP address encapsulated under IPSec, which can be matched against the IPSec policy.
If you use IKE Mode Config on the firewall, the routers handling the IPSec traffic have to also support IKE Mode Config.
To implement IPSec VPNs between remote access VPN clients with dynamic (or virtual) IP addresses and a corporate gateway, you have to dynamically administer scalable IPSec policy on the gateway once each client is authenticated. With IKE Mode Config, the gateway can set up scalable policy for a very large set of clients irrespective of the IP addresses of those clients.
There are two types of IKE Mode Config for a VPN:

Gateway initiation—Gateway initiates the configuration mode with the client. Once the client responds, the IKE modifies the sender's identity, the message is processed, and the client receives a response.
Client initiation—Client initiates the configuration mode with the gateway. The gateway responds with an IP address it has allocated for the client.

The major steps to perform when configuring IKE Mode Config on a firewall include:.

Define the pool of IP addresses.
ip local pool ...

Reference the pool of IP addresses in the IKE configuration.
isakmp client configuration address-pool local

Define which crypto maps should attempt to configure clients, and whether the firewall or the client initiates the IKE Mode Config. Use the crypto map client-configuration address command to configure IKE Mode Config.

Making an Exception to IKE Mode Config for Security Gateways

If you have both a security gateway and VPN client peers terminating on the same interface, and have the IKE Mode Config feature configured, configure the firewall to make an exception to this feature for the security gateway peer. With this exception, the firewall will not attempt to download an IP address to the peer for dynamic IP address assignment. The command that you employ to bypass the IKE Mode Config feature depends on the authentication method you are using within the IKE policies.

No-config-mode

IKE authentication method no-config-mode Related Command to Use

pre-share key isakmp key keystring address ip-address [netmask] [no-xauth] [no-config-mode]

rsa signatures isakmp peer fqdn fqdn [no-xauth] [no-config-mode]

Configuring IKE Mode Config

To configure IKE Mode Config on the firewall, perform the following steps:

Define the pool of IP addresses:
ip local pool pool-name start-address-[end-address]

For example:
ip local pool ire 172.16.1.1-172.16.1.254

Reference the defined pool of IP addresses in the IKE configuration:
isakmp client configuration address-pool local pool-name [interface-name]

For example:
isakmp client configuration address-pool local csvc outside

Define which crypto maps should attempt to configure clients:
crypto map map-name client configuration address initiate | respond

For example:
crypto map mymap client configuration address initiate

(Optional) Perform this step for each security gateway that shares the same interface as the VPN client(s) and is configured to use a pre-share key. This step allows the firewall to make an exception to the IKE Mode Config feature for the given security gateway.
isakmp key keystring address ip-address [no-xauth] [no-config-mode]

For example:
isakmp key secretkey1234 address 10.2.2.2 255.255.255.255 no-config-mode

(Optional) Perform this step for each security gateway that shares the same interface as the VPN client(s) and is configured to use RSA-signatures. This step allows the firewall to make an exception to the IKE Mode Config feature for the given security gateway.
isakmp peer fqdn fqdn [no-xauth] [no-config-mode]

For example:
isakmp peer fqdn hostname1.example.com no-config-mode

Example 6-1 shows a firewall that has been configured to both set IP addresses to clients and to respond to IP address requests from clients whose packets arrive on the outside interface using dynamic crypto map without explicitly specifying the peer.
Example 6-1: IKE Mode Config
: define the ip address pool ip local pool csvc 172.16.1.1-172.16.1.254 : reference the defined pool of IP addresses in ike crypto isakmp client configuration address-pool local ire outside : access-list 103 permit ip host 172.21.230.34 172.21.1.0 255.255.255.0 : crypto ipsec transform-set pc esp-des esp-md5-hmac : crypto dynamic-map dyn 10 set transform-set pc crypto dynamic-map dyn 10 match address 103 : enable address assignment in crypto map crypto map dyn client configuration address initiate crypto map dyn client configuration address respond : crypto map dyn 10 ipsec-isakmp dynamic dyn crypto map dyn interface outside

IKE authentication method	no-config-mode Related Command to Use
pre-share key	isakmp key keystring address ip-address [netmask] [no-xauth] [no-config-mode]
rsa signatures	isakmp peer fqdn fqdn [no-xauth] [no-config-mode]