This article is part of the Identity and Access Management Security School lesson on VPNs and remote access. Visit the VPNs and remote access lesson page for more learning resources.
IPsec VPNs extend a network's security perimeter by connecting individual hosts or entire networks. A secure VPN starts with verifying the identity of those tunnel endpoints, but poor authentication choices can cause interoperability issues or network compromise. This tip explores common IPsec VPN identity and authentication options, and their security and deployment implications.
Standard IPsec VPN features
IPsec VPN tunnels can be configured statically ("nailed up") or established dynamically using messages defined by the Internet Key Exchange (IKE) standard. IKE lets two VPN gateways (or two VPN hosts, or a gateway and host) authenticate each other, negotiate security parameters, and generate keys for data encryption and integrity.
Authentication is critical to avoid establishing tunnels with unauthorized parties. In a site-to-site VPN, it lets us spot an attacker masquerading as a peer VPN gateway. In a remote access VPN, it lets us deny access to intruders who pose as legitimate users. To enable authentication, IKE peers identify themselves using standard Identity Types: an IPv4 or IPv6 address, a hostname (Fully Qualified Domain Name, FQDN ), an email address (User FQDN) or an X.500 Distinguished Name (DN). IKE peers can use different ID Types; for example, user@mycorp.com