Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
495
Views
0
Helpful
2
Replies

IPSEC Question - technology doubt

nibauramos
Level 1
Level 1

‎04-26-2010 04:34 PM - edited ‎02-21-2020 04:37 PM

Hello,

I have deployed some configurations for VPN connectivity using L2TP and sometimes PPTP, however since both protocols are not designed with security in mind we usually place them over IPSEC to ensure data confidentiality. I searched online for examples but must implementations I found define a PSK for IPSEC and them (for example) integrate the authorization process with Active Directory using the person's username/password.

Using an username/password is something very easy intuitive for a common user, however confidentiality is only ensured by the PSK, isn't this a bad choice when we have to design a scenario where there are hundreds of different users connection to the VPN in a Roadwarrior style? Basically everyone's has to know the PSK compromising the confidentiality between them.

Are there any solutions for this kind of scenarios?

Using x.509 might be a solution I think, however I would much rather use an username/password than having to deploy certificates to every single user, and teach them how to use them.

This isn't a very CISCO related question, however the scenario I'm going to implement will be with Cisco routers acting has VPN concentrators.


Thank you.

Labels:
0 Helpful
2 Replies 2

Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎04-26-2010 06:48 PM

Hi,

IPsec technology in IOS or Cisco devices allows for two methods of peer authentication.

The two methods are PSK and PKI.

Relying on PSK is very easy but not scalable.

For large VPN scenarios the recommendation is PKI.

The previous two methods are for peer (or device) authentication, then to authenticate a user you have several options, for example relying simply on a user/pass database or using additional security like tokens or OTPs.

The pre-shared keys can be used as wildcards so it is easy to manage them in large enterprises, but not a recommended solution due to security reasons.

I think that you should consider managing pre-shared keys against deploying a PKI scenario.

For digital certificates, you can use a third-party entity or have an in-house CA which you can administer (ASA or IOS could serve as CA authority for some scenarios).

So, for large environments the recommendation is PKI, unless you want to stick with PSKs.

For user authentication, you can consider other security factors like mutual-authentication (far more secure than a single user/pass).

Hope to help.

Federico.

0 Helpful

nibauramos
Level 1
Level 1
In response to Federico Coto Fajardo

‎04-27-2010 03:20 AM

Hello, thank you for your answer, I will investigate the configuration with a PKI cenario.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents