Preshared Keys

Preshared Keys

As Chapter 9 explained, VPN peer devices can authenticate each other using preshared keys or with digital certificates and certificate authorities. This section discusses using preshared keys and the section “Digital Certificates” looks at the changes required to use digital certificates. Three types of preshared keys exist.

• Unique keys—Each IP address has a unique key associated with it, providing a high level of security, but requiring much greater administrative overhead. While manageable for LAN-to-LAN implementations, it doesn’t scale well for remote access networks with many users or a growing pool of users.

• Group keys—In this implementation, preshared keys are assigned to one or more groups. Managing new users becomes easier and more scalable by requiring only that the user be made a group member and given the appropriate passwords. This concept of groups has many other benefits, including the capability to separate different types of users based on access method (router vs. software client) for autoupdate features or even based on Security Policy access limitation differences. By default, the VPN Concentrator has one group: the Base Group. Additional groups can be added as needed, using the Base Group setting as defaults that can be modified as necessary.

• Wildcard keys—With a wildcard preshared key, it’s possible to allow one or more clients to use a shared secret key to authenticate encrypted tunnels to the gateway. To be configured on the Concentrator, all devices must be using preshared keys. This option can be more prone to security problems, such as man-in-the-middle attacks, if a key is compromised. In that case, all keys must be changed.