EXPERT RESPONSE
The Internet Key Exchange (IKE) standard used with IPsec only supports peer device authentication by pre-shared keys, raw digital signatures, or digital certificates. However, most IPsec VPN products implement extensions to support "legacy" user authentication, including weak username/password logins and stronger two-factor token methods like SecurID.
Most IPsec VPN products use one of two common alternatives to support user authentication: Extended Authentication (XAUTH) or the Layer Two Tunneling Protocol (L2TP) over IPsec.
L2TP over IPsec is implemented by the native Microsoft VPN client in Windows 2000, XP, and 2003. Add-on L2TP over IPsec clients are also available for other most other operating systems. You'll also need a VPN gateway that supports L2TP over IPsec. In this approach, an IPsec connection is first established in transport mode. User authentication occurs using L2TP (UDP/1701), which is encrypted by sending it over the IPsec transport.
XAUTH is implemented by most non-Microsoft VPN clients and VPN Remote Access Concentrators. XAUTH inserts a non-standard exchange in the middle of the IKE protocol, after peer authentication but before the IPsec tunnel is established. XAUTH is vulnerable when used with group passwords that are easily guessed -- to learn more, read this Cisco advisory or article by John Pliam. However, when XAUTH is combined with a strong group secret or certificate and two-factor user authentication, risk is much lower.
The IETF is now working on a new version of IKE that will provide native support for a variety of user authentication methods, including generic token cards. To learn more, see the latest IKEv2 Internet Draft.
|
