14.1.2.11.2 Connection with Client
285
14.1.2.11.2-B
Authentication
Authentication method
Please choose the authentication method used by the peer's. You can use either a
X.509 certificate based authentication or use a preshared key.
The efforts for configuring authentication with certificates are higher, however this
public key based method is conceptually more secure. Each peer has a private key
which has to be kept secret and a corresponding public key which does not have to
be protected.
In contrast authentication by preshared key can be compared to a simple password
authentication. Both peers have to know this key which of course has to remain secret.
This method is however a bad choice for client connections, as every connection which
involves dynamic IPs has to use the same preshared key.
specified X.509 certificates only
Using this option, the public key of the client must be imported on SX-GATE.
Drawback of this method: Whenever the peer changes its certificate (e.g. after
expiration) the new public key has to be imported before the VPN connection can
be reestablished. The administration effort will increase with the number of peers.
A certificate is only valid for a certain period of time (e.g.
1 year).
If you still want to use this option, please create a similar connection for each
client and import the corresponding certificate.
any certificate signed by trusted CA
This is the commonly used and recommended way for certificate based
authentication. The client is accepted if it presents a certificate which has been
issued by a Certificate Authority (CA) which is trusted by SX-GATE. The trusted
CA is configured at "Modules > Network > Settings".
SX-GATE's VPN server certificate must have been issued
by the same CA or otherwise authentication will fail.
As the client's certificate is not installed on SX-GATE it can be renewed anytime
without local changes. The only requirement is that the new certificate also has
to be issued by the trusted CA.