Identifying authentication requirements
Planning Your VPN Configuration
2-5
A closer look at CA-based
certificates
A VPN implemented using CA-based certificates requires access to a
private or public CA. Each end-point (client, firewall, etc.) in the VPN
retains a private key file that is associated with a public certificate. In
addition, each end-point in the VPN needs the CA root certificate on
their system. Figure 2-3 shows the certificates involved in a VPN using
CA-based certificates.
Figure 2-3. CA-based
digital certificate
summary
Understanding pre-shared key authentication
A pre-shared key (referred to as shared password by Sidewinder) is
an alphanumeric string—from eight to 54 characters—that can replace
a digital certificate as the means of identifying a communicating party
during a Phase 1 IKE negotiation. This key/password is called "pre-
shared" because you have to share it with another party before you
can communicate with them over a secure connection. Once you both
have this key/password, you would both have to enter it into your
respective IPSec-compliant devices (e.g., firewall and software client).
Using a pre-shared key/password for authentication is the easiest type
of VPN association to configure.
IMPORTANT:
You should only use this method along with Extended Authentication.
Internet
Protected Network
Sidewinder
CA
CA
Cert.
Private CA server (could be a public CA
server not in the network)
Soft-PK
Client
Cert.
Firewall
Cert.
*.pem
2
3
2
1
*.pk
Admin provides CA root certificate to
client (or instructions to obtain it)
Admin requests CA root certificate
Admin requests firewall certificate
4
Admin provides client key/certificate
to client (or instructions to obtain it)
CA
Cert.
*.pem
1
3
4