Authentication Methods in IPSec

The IPSec implementation in the Services Router allows you to use one of two authentication methods: preshared keys or digital certificates.

Preshared keys are secret passwords shared by the peer devices in an IPSec-enabled network. You must configure these keys on each Services Router in the network before any communication can take place. You can configure the preshared keys on each device manually or use protocols such as IKE to manage the keys dynamically.

Certificates are digital identifiers that validate the authenticity of an individual or a device. A digital certificate implementation uses the public key infrastructure (PKI), which requires you to generate a key pair consisting of a public key and a private key. Certificates are issued by certificate authorities (CAs), which are public or private organizations that manage a PKI. The main function of a digital certificate is to associate a device or user with a public-private key pair. Digital certificates also verify the authenticity of data and indicate privileges and roles within secure communication. A digital certificate consists of data that definitively identifies an individual, system, company, or organization. In addition to identification data, the digital certificate contains a serial number, a copy of the certificate holder’s public key, the identity and digital signature of the issuing CA, and an expiration date.

We recommend that you become familiar with PKI and digital certificates before implementing this feature on a Services Router. For white papers about digital certificates and additional information about PKI, see the following Web sites: http://www.verisign.com http://www.thawte.com http://www.entrust.com

When you configure IPSec for secure communications in the network, the peer devices in the network must have at least one common authentication method. Only one authentication method can be used between a pair of devices, regardless of the number of authentication methods configured.