I have deployed some configurations for VPN connectivity using L2TP and sometimes PPTP, however since both protocols are not designed with security in mind we usually place them over IPSEC to ensure data confidentiality. I searched online for examples but must implementations I found define a PSK for IPSEC and them (for example) integrate the authorization process with Active Directory using the person's username/password.
Using an username/password is something very easy intuitive for a common user, however confidentiality is only ensured by the PSK, isn't this a bad choice when we have to design a scenario where there are hundreds of different users connection to the VPN in a Roadwarrior style? Basically everyone's has to know the PSK compromising the confidentiality between them.
Are there any solutions for this kind of scenarios?
Using x.509 might be a solution I think, however I would much rather use an username/password than having to deploy certificates to every single user, and teach them how to use them.
This isn't a very CISCO related question, however the scenario I'm going to implement will be with Cisco routers acting has VPN concentrators.
IPsec technology in IOS or Cisco devices allows for two methods of peer authentication.
The two methods are PSK and PKI.
Relying on PSK is very easy but not scalable.
For large VPN scenarios the recommendation is PKI.
The previous two methods are for peer (or device) authentication, then to authenticate a user you have several options, for example relying simply on a user/pass database or using additional security like tokens or OTPs.
The pre-shared keys can be used as wildcards so it is easy to manage them in large enterprises, but not a recommended solution due to security reasons.
I think that you should consider managing pre-shared keys against deploying a PKI scenario.
For digital certificates, you can use a third-party entity or have an in-house CA which you can administer (ASA or IOS could serve as CA authority for some scenarios).
So, for large environments the recommendation is PKI, unless you want to stick with PSKs.
For user authentication, you can consider other security factors like mutual-authentication (far more secure than a single user/pass).
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...