Decide VPN authentication methods
A VPN authentication method is a security mechanism that
-
validates the identity of peers in a VPN connection
-
enables secure communication between network devices, and
-
ensures only authorized devices can establish VPN connections.
Available authentication methods
VPNs support two primary authentication methods:
-
Preshared keys: A secret key shared between two peers and used by IKE during the authentication phase. The same shared key must be configured at each peer or the IKE SA cannot be established.
-
Digital certificates: Use RSA key pairs to sign and encrypt IKE key management messages. Certificates provide non-repudiation of communication between two peers, meaning that it can be proved that the communication actually took place.
VPN type support varies by authentication method:
|
VPN Type |
Preshared Keys |
Digital Certificates |
|---|---|---|
|
Site-to-site IKEv1 and IKEv2 |
Supported |
Supported |
|
Remote Access (SSL and IPsec IKEv2) |
Not supported |
Supported |
When using digital certificate authentication, you need a Public Key Infrastructure (PKI) defined where peers can obtain digital certificates from a Certification Authority (CA). CAs manage certificate requests and issue certificates to participating network devices providing centralized key management for all of the participating devices.
Preshared keys do not scale well, using a CA improves the manageability and scalability of your IPsec network. With a CA, you do not need to configure keys between all encrypting devices. Instead, each participating device is registered with the CA, and requests a certificate from the CA. Each device that has its own certificate and the public key of the CA can authenticate every other device within a given CA's domain.