Authentication in IPsec VPNs

Authentication requires an exchange of information between the two authenticating parties. The exchange must be done securely, so that the exchanged information is unusable, even if intercepted.

The confidentiality of authentication exchanges is most often achieved through digital signatures or through encrypting the authentication messages with a pre-shared key.

• Digital signatures use a public-private key pair to sign messages. This method requires that digital certificates signed by a mutually trusted certificate authority (CA) are present.
• VPN authentication with a pre-shared key does not require the presence of digital certificates. It requires the exchange of a secret encryption key that is known by both communicating parties.

Both methods can be secure enough for VPNs if used correctly, but the security of the pre-shared key method is much more dependent on administrator actions. If pre-shared keys are used for authentication, the keys must be long and random to be sufficiently secure. The pre-shared key must be kept secret, since the security of this configuration relies on the assumption that only the legitimate parties know the key.