Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPSEC Question - technology doubt


I have deployed some configurations for VPN connectivity using L2TP and sometimes PPTP, however since both protocols are not designed with security in mind we usually place them over IPSEC to ensure data confidentiality. I searched online for examples but must implementations I found define a PSK for IPSEC and them (for example) integrate the authorization process with Active Directory using the person's username/password.

Using an username/password is something very easy intuitive for a common user, however confidentiality is only ensured by the PSK, isn't this a bad choice when we have to design a scenario where there are hundreds of different users connection to the VPN in a Roadwarrior style? Basically everyone's has to know the PSK compromising the confidentiality between them.

Are there any solutions for this kind of scenarios?

Using x.509 might be a solution I think, however I would much rather use an username/password than having to deploy certificates to every single user, and teach them how to use them.

This isn't a very CISCO related question, however the scenario I'm going to implement will be with Cisco routers acting has VPN concentrators.

Thank you.


Re: IPSEC Question - technology doubt


IPsec technology in IOS or Cisco devices allows for two methods of peer authentication.

The two methods are PSK and PKI.

Relying on PSK is very easy but not scalable.

For large VPN scenarios the recommendation is PKI.

The previous two methods are for peer (or device) authentication, then to authenticate a user you have several options, for example relying simply on a user/pass database or using additional security like tokens or OTPs.

The pre-shared keys can be used as wildcards so it is easy to manage them in large enterprises, but not a recommended solution due to security reasons.

I think that you should consider managing pre-shared keys against deploying a PKI scenario.

For digital certificates, you can use a third-party entity or have an in-house CA which you can administer (ASA or IOS could serve as CA authority for some scenarios).

So, for large environments the recommendation is PKI, unless you want to stick with PSKs.

For user authentication, you can consider other security factors like mutual-authentication (far more secure than a single user/pass).

Hope to help.


New Member

Re: IPSEC Question - technology doubt

Hello, thank you for your answer, I will investigate the configuration with a PKI cenario.