Understanding IKE Authentication
The IKE negotiations only provide the ability to establish a secure channel over which two parties can communicate. You still need to define how they authenticate each other. This is where IKE authentication is used to ensure that the other party is authorized to establish the VPN.
The following IKE authentications are available:
Preshared key authentication—The most common way to establish a VPN connection is to use preshared keys, which is essentially a password that is the same for both parties. This password must be exchanged in advance in an out-of-band mechanism, such as over the phone, through a verbal exchange, or through less secure mechanisms, even e-mail. The parties then authenticate each other by encrypting the preshared key with the peer’s public key, which is obtained in the Diffie-Hellman exchange.
Preshared keys are commonly deployed for site-to-site IPsec VPNs, either within a single organization or between different organizations. To ensure that preshared keys are used in the most secure fashion, a preshared key must consist of at least 8 characters (12 or more is recommended) using a combination of letters, numbers, and nonalphanumeric characters, along with different cases for the letters (the preshared key should not use a dictionary word).
Certificate authentication—Certificate-based authentication is considered more secure than preshared key authentication because the certificate key cannot be compromised easily. Certificates are also far more ideal in larger scale environments with numerous peer sites that should not all share a preshared key. Certificates are composed of a public and private key, and can be signed by a master certificate known as a certificate authority (CA). In this way, certificates can be checked to see if they are signed with a CA that is trusted.