In remote access scenarios, it is highly desirable to be able to push configuration information such as the private IP address, a DNS server's IP address, and so forth, to the client. The IPSec Mode-configuration (MODECFG) allows this functionality. Configuration for MODECFG using Cisco IOS is shown in Example 4-2.
Example 4-2. Cisco IOS MODECFG Configuration on the IPSec Gateway
vpn-gw1-east# ! hostname vpn-gw1-east ! username ezvpn password 0 east username ezvpn1@vpngroup password 0 ezvpn1east username ezvpn2@vpngroup password 0 ezvpn2east aaa new-model ! aaa authentication login vpn local aaa authorization network vpn local aaa session-id common ip subnet-zero ! crypto isakmp policy 1 encr 3des authentication pre-share group 2 crypto isakmp keepalive 10 10 ! crypto isakmp client configuration group vpngroup key ciscoezvpn dns 10.1.1.10 wins 10.1.1.11 pool vpnpool include-local-lan backup-gateway 18.104.22.168 ! crypto ipsec transform-set vpn esp-3des esp-sha-hmac ! crypto dynamic-map dynamic 1 set transform-set vpn reverse-route remote-peer 22.214.171.124 ! ! crypto map vpn client authentication list vpn crypto map vpn isakmp authorization list vpn crypto map vpn client configuration address respond crypto map vpn 3 ipsec-isakmp dynamic dynamic
Some of the key attributes that can be pushed to a remote user using MODECFG follow:
- INTERNAL_IP4_ADDRESS, INTERNAL_IP6_ADDRESS— Specifies an address within the internal network. The requested address is valid until the expiration of the ISAKMP SA that was used to secure the request. The address may also expire when the IPSec phase 2 SA expires, if the request is associated with a phase 2 negotiation.
- INTERNAL_IP4_NETMASK, INTERNAL_IP6_NETMASK— The internal network's netmask.
- INTERNAL_IP4_DNS, INTERNAL_IP6_DNS— Specifies an address of a DNS server or multiple DNS servers within the network. The responder may respond with zero, one, or more DNS server attributes.
- INTERNAL_IP4_NBNS, INTERNAL_IP6_NBNS— Specifies an address of a NetBios Name Server (NBNS) within the network. Multiple NBNSs may be requested. The responder may respond with zero, one, or more NBNS attributes.
Like XAUTH, MODECFG is not a standard of the IPSec working group in the IETF. Although Cisco defined this protocol and most client implementations work with the Cisco implementation, given that this not a standard, there are no guarantees for interoperability.