From IPSec VPN Gateway Security Technical Implementation Guide
Part of PKI is not used for authenticating remote endpoint.
Associated with IA controls: ECSC-1
Using shared secrets between two IPSec endpoints is easy to implement but are also easy to compromise. Regardless of the strength of the password, they can be cracked using software tools that are readily available. Furthermore, implementation using shared secrets is not scalable since all VPN gateways and software clients would need to be configured with the shared secrets. In addition, there cannot be a preshared key for every user because the VPN gateway server does not know the client’s identity (the IP address is commonly used). Hence, remote users must use a group-based preshared key for authentication. When an individual leaves the group, changing the key must be coordinated with the other users of the group. PKI mitigates the risk involved with group passwords because each user has a certificate.
Review the VPN gateway configuration to determine if certificate-based authentication is used. The authentication method will be defined on the ISAKMP policy that has been configured for IKE Phase I negotiation.
Configure the VPN gateway to use certificate-based authentication for IPSec peers and clients. The authentication method will be defined on the ISAKMP policy used to establish an IKE security association.
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer