Ask the Expert

My company uses RSA SecurID authentication for dial-up remote access. Can we continue to use this w

My company uses RSA SecurID authentication for dial-up remote access. Can we continue to use this with an IPsec VPN?

    Requires Free Membership to View

The Internet Key Exchange (IKE) standard used with IPsec only supports peer device authentication by pre-shared keys, raw digital signatures, or digital certificates. However, most IPsec VPN products implement extensions to support "legacy" user authentication, including weak username/password logins and stronger two-factor token methods like SecurID.

Most IPsec VPN products use one of two common alternatives to support user authentication: Extended Authentication (XAUTH) or the Layer Two Tunneling Protocol (L2TP) over IPsec.

  • L2TP over IPsec is implemented by the native Microsoft VPN client in Windows 2000, XP, and 2003. Add-on L2TP over IPsec clients are also available for other most other operating systems. You'll also need a VPN gateway that supports L2TP over IPsec. In this approach, an IPsec connection is first established in transport mode. User authentication occurs using L2TP (UDP/1701), which is encrypted by sending it over the IPsec transport.

  • XAUTH is implemented by most non-Microsoft VPN clients and VPN Remote Access Concentrators. XAUTH inserts a non-standard exchange in the middle of the IKE protocol, after peer authentication but before the IPsec tunnel is established. XAUTH is vulnerable when used with group passwords that are easily guessed -- to learn more, read this Cisco advisory or article by John Pliam. However, when XAUTH is combined with a strong group secret or certificate and two-factor user authentication, risk is much lower.

    The IETF is now working on a new version of IKE that will provide native support for a variety of user authentication methods, including generic token cards. To learn more, see the latest IKEv2 Internet Draft.

  • This was first published in July 2004

    There are Comments. Add yours.

     
    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to: