Use Case 1: Configuring Remote Vpn - Motorola RFS7000 Reference Manual

5-28 Motorola RF Switch CLI Reference Guide

5.1.9.1 Use Case 1: Configuring Remote VPN

Let's review an example of a mobile unit connected to the switch. Assume it wants access
to the corporate (trusted network) using IPSec VPN functionality.
In the figure above, a Motorola client is associated to a WLAN (say wlan1) attached to
vlan2 on the switch. vlan2 is on subnet 10.1.1.x and is running a DHCP server that assigns
IP addresses for this subnet. The corporate is on vlan3 of the switch, which has
192.168.0.x subnet.
The client being associated to wlan1 has an IP address of 10.1.1101x and wants to access
the 192.168.0.x network securely.
In case the client is VPN enabled, it initiates a connection with the VPN server on our
switch, the "conversation" that occurs between the peers consists of device
authentication via Internet Key Exchange (IKE), followed by user authentication using IKE
Extended Authentication (Xauth), push client relate configuration (using Mode
Configuration), and IPsec security association (SA) creation.
Depending on the switch IPSec configuration (as discussed in the previous sections), the
client establishes an IKE SA, and if the switch is configured for Xauth, the client waits for
a "username/password" challenge and then responds to the challenge of the switch.
If the switch indicates that authentication is successful, the client requests further
configuration parameters from the switch. At this stage, the private IP address (mode-
config) is pushed to the client from a private address pool, configured for remote VPN
clients. IPsec SA's are created and the connection is complete.