- A virtual community of network engineers
 Home  BookStore  StudyNotes  Links  Archives  StudyRooms  HelpWanted  Discounts  Login
RE: Where is the VPN 3000 certificate installed ? [7:101292] posted 07/25/2005
[Chronological Index] [Thread Index] [Top] [Date Prev][Date Next] [Thread Prev][Thread Next]

> Digital Certificates are just one method of authentication.
> Pre-shared keys, MD5 hashes, etc can also be used. (and are
> probably more
> common in small/medium businesses).

Just to clarify, there are a number of different methods of authentication
with IPsec remote access VPNs:

1. IPsec peer (*device*) authentication: on the Cisco VPN concentrator you
can use either digital signature (using digital certificates) or pre-shared
key authentication.

Digital signature authentication using digital certificates mandates the
deployment of a Public Key Infrastructure (PKI)- Certificate Authority (or
Certificate Authority hierarchy), etc, etc. Pre-shared key authentication,
on the other hand, does not require the deployment of a PKI.

IPsec peers authenticate each other during IKE phase 1 (main/aggressive

2. Remote access VPN *user* authentication: remote access VPN users can be
authenticated in a number of different ways- using PPP authentication if you
are using L2TP/IPsec, and using Extended Authentication (XAUTH) if you are
using IPsec alone.

PPP authentication occurs after both IKE phase 1 & 2, plus L2TP & LCP
negotiation. XAUTH, on the other hand, takes place between IKE phases 1 and
2, and optionally periodically thereafter.

Note that user authentication is very important in addition to IPsec peer
(*device*) authentication in a remote access VPN because if only the IPsec
peer is authenticated then it would be possible for someone to steal a
legitimate user's laptop/other device (IPsec peer device), and access the
corporate network over the IPsec VPN- not good.

Two other methods of combined IPsec peer/user authentication are possible:

1. Hybrid Authentication.

2. Challenge/Response for Authenticated Cryptographic Keys (CRACK).

These two methods are alternatives to regular XAUTH plus regular IKE phase 1
(IPsec peer/device) authentication.

Cisco has recently added Hybrid Authentication to the VPN 3000 concentrator
in response to criticism of group pre-shared key authentication with XAUTH
on that device.

The problem with group pre-shared key authentication with XAUTH on the VPN
3000 is that the pre-shared key is shared by a group (itâ??s the group
password)- the more members in the group the more inherently insecure the
pre-shared key is (it is more vulnerable to compromise). It is even possible
for a member of the group to impersonate the VPN concentrator and obtain
other group membersâ?? XAUTH passwords. In addition, if the pre-shared key
is weak (it is vulnerable to dictionary or brute force cracking) then the
XAUTH passwords of users are vulnerable because the XAUTH authentication
exchange is protected by the IKE security association (SA) which is itself
secured using the weak pre-shared key!

In Hybrid Authentication, the VPN 3000 concentrator authenticates itself to
the remote access VPN clients using digital signature authentication with a
certificate. The remote access VPN *user* authenticates him/herself to the
VPN 3000 using XAUTH. The advantage is that the remote access VPN clients
are able to be certain that they are actually talking to the VPN 3000 (it is
no longer possible for another member of the group to impersonate the VPN
3000), and the XAUTH password is more secure. The other advantage of Hybrid
Authentication is that it doesnâ??t require the deployment of a full PKI-
only the VPN 3000 must obtain an identity certificate (the clients only
require the CAâ??s certificate).

Note that Cisco have slightly modified regular Hyrbid Authentication on the
VPN 3000 to allow group matching (you still have the group name/password,
but it is only now used to match the correct group, and not really for
authentication proper).

CRACK is also possible on the VPN 3000, but support has only been added for
Nokia devices (not with the Cisco VPN client). When using CRACK, one of the
IPsec peers (the client) authenticates using a secret key type user
authentication method, and the other IPsec peer (the VPN gateway)
authenticates using public-key authentication (optionally involving digital

Hope that helps!


CCIE#6280 / CCSI#21051 / etc.


Message Posted at:
FAQ, list archives, and subscription info: