7
IPsec VPN
124
Advantages of certificates
The
principal
advantage
of
certificates
is
the
added
flexibility.
Many
VPN
clients
can
be
managed
without
having
the
same
pre
‐
shared
key
configured
on
all
of
them,
which
is
often
the
case
when
using
pre
‐
shared
keys
and
roaming
clients.
Instead,
should
a
client
be
compromised,
the
client's
certificate
can
simply
be
revoked.
No
need
to
reconfigure
every
client.
Disadvantages of certificates
The
principal
disadvantage
of
certificates
is
the
added
complexity.
Certificate
‐
based
authentication
may
be
used
as
part
of
a
larger
public
key
infrastructure,
making
all
VPN
clients
and
gateways
dependent
on
third
parties.
In
other
words,
there
are
more
aspects
that
have
to
be
configured,
and
there
is
more
that
can
go
wrong.
Note:
IKEv2
does
not
support
self
‐
signed
certificates.
IPsec protocols (ESP/AH)
The
IPsec
protocols
are
the
protocols
used
to
protect
the
actual
traffic
being
passed
through
the
VPN.
The
actual
protocols
used
and
the
keys
used
with
those
protocols
are
negotiated
by
IKE.
There
are
two
protocols
associated
with
IPsec,
AH
and
ESP.
These
are
covered
in
the
sections
below.
AH (Authentication Header)
AH
is
a
protocol
used
for
authenticating
a
data
stream.
AH
is
not
currently
supported
by
the
SEG.
Figure 8. The AH protocol
AH
uses
a
cryptographic
hash
function
to
produce
a
MAC
from
the
data
in
the
IP
packet.
This
MAC
is
then
transmitted
with
the
packet,
allowing
the
remote
endpoint
to
verify
the
integrity
of
the
original
IP
packet,
making
sure
the
data
has
not
been
tampered
with
on
its
way
through
the
Internet.
Apart
from
the
IP
packet
data,
AH
also
authenticates
parts
of
the
IP
header.
The
AH
protocol
inserts
an
AH
header
after
the
original
IP
header.
In
tunnel
mode,
the
AH
header
is
inserted
after
the
outer
header,
but
before
the
original,
inner
IP
header.
