Decide VPN authentication methods
A VPN authentication method is a security mechanism that
-
validates the identity of peers in a VPN connection
-
enables secure communication between network devices, and
-
ensures that only authorized devices can establish VPN connections.
Available authentication methods
VPNs support two primary authentication methods:
-
Preshared keys: A secret key shared between two peers and used by IKE during the authentication phase. The same shared key must be configured at each peer or the IKE SA cannot be established.
-
Digital certificates: Use RSA key pairs to sign and encrypt IKE key management messages. Certificates provide proof of communication between two peers.
VPN type support varies by authentication method.
|
VPN Type |
Preshared Keys |
Digital Certificates |
|---|---|---|
|
Site-to-site IKEv1 and IKEv2 |
Supported |
Supported |
|
Remote Access (SSL and IPsec IKEv2) |
Not supported |
Supported |
When you use digital certificate authentication, you need a Public Key Infrastructure (PKI) defined for peers to obtain digital certificates from a Certification Authority (CA). CAs manage certificate requests and issue certificates to participating network devices, providing centralized key management for all participating devices.
Preshared keys are difficult to manage for large networks. CAs make it easier to manage and scale your IPsec network. With a CA, you do not need to configure keys between all encrypting devices. Register each device with the CA to request its certificate. Devices with their own certificates and the CA’s public key can authenticate other devices within the CA’s domain.