3Com Switch 8800 Family IPsec Module Configuration and Command reference Guide
210 CHAPTER 13: DVPN
■ Capable of establishing dynamic IP address-based VPN. You need only to
provide the IP address of the DVPN server to establish a Tunnel in a DVPN
domain. So DVPN is applicable to subscribers that use dynamic IP addresses,
such as dial-up and xDSL.
■ Capable of establishing Tunnels automatically. A DVPN server maintains
information about all DVPN access devices in the DVPN domain. The redirecting
function enables the DVPN clients acquire information about any other DVPN
clients in the DVPN domain from the DVPN server to establish sessions. A DVPN
client is only needed to be configured with information about itself and the
DVPN server, so the work load of network administration can be remarkably
eased.
■ Encrypted registration. When registering with a DVPN server, a client first
negotiates with the server for the algorithm suite and keys, and then encrypts
the key registering information (such as user name and password) using the
negotiated algorithm. They can also validate the registering packets to secure
the key registering information.
■ Authentication. When registering with a DVPN server, a client can authenticate
the server using a pre-shared-key to make sure the DVPN server is valid. The
DVPN server, in turn, can identify the clients that want to access the DVPN
domain using AAA to ensure DVPN clients are authenticated.
■ Centralized policy management. Policies applied to sessions in a DVPN domain
are the same. A DVPN server issues the policy of the DVPN domain to each
registered client, including the algorithm suite used in session negotiations, the
keepalive time of sessions, the idle timeout time of sessions, the IPsec
encryption algorithm, the renegotiation time of IPsec SA, and so on.
■ Encryption during session negotiation. In the course of session negotiation, all
the control packets are IPsec-encrypted using the algorithm suite the DVPN
server issues. The client negotiates with the DVPN server for the IPsec SA of the
session using the encryption and authentication algorithm issued by the DVPN
server. DH (Diffie-Hellman) is used for negotiating the key of the IPsec SA. Data
that are to be encrypted and transmitted through this session are encrypted
using the IPsec SA negotiated in the course of the session establishment and
then are transmitted through the DVPN domain. The IPsec SA of a session can
be renegotiated. You can specify an IPsec SA renegotiation interval to improve
security.
■ Support for multiple DVPN domains. A single DVPN device can accommodate
multiple DVPN domains. That is, a security gateway can belong to both DVPN
domain A and DVPN domain B simultaneously, and a DVPN device can be a
client in DVPN domain A and the DVPN server in DVPN domain B at same time.
A DVPN device can accommodate up to 200 DVPN domains and can be the
DVPN server of up to 200 DVPN domains. This improves network flexibility
remarkably and protects user investment efficiently, and enables you to make
full use of network device resource. When multiple DVPN domains are
configured on one DVPN device, you can isolate these DVPN domains using
private network routes.
■ Support for dynamic routes. In a DVPN domain, route packets that need to be
transmitted through Tunnel interfaces can be broadcast over all sessions to
enable route learning in DVPN domains. When accompanied with dynamic
routing protocols, DVPN can simplify planning of private networks that are to