Understanding IKE Authentication
The IKE negotiations only provide the ability to establish a
secure channel over which two parties can communicate. You still need
to define how they authenticate each other. This is where IKE authentication
is used to ensure that the other party is authorized to establish
the VPN.
The following IKE authentications are available:
- Preshared key authentication—The most common way
to establish a VPN connection is to use preshared keys, which is essentially
a password that is the same for both parties. This password must be
exchanged in advance in an out-of-band mechanism, such as over the
phone, through a verbal exchange, or through less secure mechanisms,
even e-mail. The parties then authenticate each other by encrypting
the preshared key with the peer’s public key, which is obtained
in the Diffie-Hellman exchange.
Preshared keys are commonly deployed for site-to-site IPsec
VPNs, either within a single organization or between different organizations.
To ensure that preshared keys are used in the most secure fashion,
a preshared key must consist of at least 8 characters (12 or more
is recommended) using a combination of letters, numbers, and nonalphanumeric
characters, along with different cases for the letters (the preshared
key should not use a dictionary word).
- Certificate authentication—Certificate-based authentication
is considered more secure than preshared key authentication because
the certificate key cannot be compromised easily. Certificates are
also far more ideal in larger scale environments with numerous peer
sites that should not all share a preshared key. Certificates are
composed of a public and private key, and can be signed by a master
certificate known as a certificate authority (CA). In this way, certificates
can be checked to see if they are signed with a CA that is trusted.
Related Documentation
Help us to improve. Rate this article.
Feedback Received. Thank You!