Configuring IKEv1 for Mobile Systems
IPsec and IKE require a unique ID to identify source and destination. For off-site or mobile
systems that do not have a unique IP address, you must use another ID type. ID types such as
DNS, DN, or email can be used to uniquely
identify a system.
Off-site or mobile systems that have unique IP addresses are still best configured with a
different ID type. For example, if the systems attempt to connect to a central site from behind a
NAT box, their unique addresses are not used. A NAT box assigns an arbitrary IP address, which the
central system would not recognize.
Preshared keys also do not work well as an authentication mechanism for mobile systems,
because preshared keys require fixed IP addresses. Self-signed certificates, or certificates from a
CA enable mobile systems to communicate with the central site.
The following task map lists procedures to configure IKEv1 to handle systems that log
in remotely to a central site.
Table 10-2 Configuring IKEv1 for Mobile Systems Task Map
|
|
|
|
Communicate with a central site from off-site.
|
Enables off-site systems to communicate with a central site. The off-site systems might be
mobile.
|
|
|
Use a CA's public certificate and IKEv1 on a central system that accepts traffic from mobile
systems.
|
Configures a gateway system to accept IPsec traffic from a system that does not have a fixed
IP address.
|
|
|
Use a CA's public certificate and IKEv1 on a system that does not have a fixed IP
address.
|
Configures a mobile system to protect its traffic to a central site, such as company
headquarters.
|
|
|
Use self-signed certificates and IKEv1 on a central system that accepts traffic from mobile
systems.
|
Configures a gateway system with self-signed certificates to accept IPsec traffic from a
mobile system.
|
|
|
Use self-signed certificates and IKEv1 on a system that does not have a fixed IP
address.
|
Configures a mobile system with self-signed certificates to protect its traffic to a central
site.
|
|
|