My company uses RSA SecurID authentication for dial-up remote access. Can we continue to use this with an IPsec VPN?
The Internet Key Exchange (IKE) standard used with IPsec only supports peer device authentication by pre-shared keys, raw digital signatures, or digital certificates. However, most IPsec VPN products implement extensions to support "legacy" user authentication, including weak username/password logins and stronger two-factor token methods like SecurID.
Most IPsec VPN products use one of two common alternatives to support user authentication: Extended Authentication (XAUTH) or the Layer Two Tunneling Protocol (L2TP) over IPsec.
L2TP over IPsec is implemented by the native Microsoft VPN client in Windows 2000, XP, and 2003. Add-on L2TP over IPsec clients are also available for other most other operating systems. You'll also need a VPN gateway that supports L2TP over IPsec. In this approach, an IPsec connection is first established in transport mode. User authentication occurs using L2TP (UDP/1701), which is encrypted by sending it over the IPsec transport.
XAUTH is implemented by most non-Microsoft VPN clients and VPN Remote Access Concentrators. XAUTH inserts a non-standard exchange in the middle of the IKE protocol, after peer authentication but before the IPsec tunnel is established. XAUTH is vulnerable when used with group passwords that are easily guessed -- to learn more, read this Cisco advisory or article by John Pliam. However, when XAUTH is combined with a strong group secret or certificate and two-factor user authentication, risk is much lower.
The IETF is now working on a new version of IKE that will provide native support for a variety of user authentication methods, including generic token cards. To learn more, see the latest IKEv2 Internet Draft.
Dig deeper on Network Access Control
Wireless expert Lisa A. Phifer explains to what extent WEP cracking remains a worrisome issue. It all depends on your company's WLAN security policy.continue reading
Wireless expert, Lisa Phifer explains that it may not be worth enhancing Wi-Fi ad hoc mode since Wi-Fi Direct is a better alternative for enabling ...continue reading
Wireless expert Lisa Phifer responds to a question regarding a Mi-Fi and Android smartphone mobile hotspot comparison. She provides an in depth ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.