Most IPsec VPN products use one of two common alternatives to support user authentication: Extended Authentication (XAUTH) or the Layer Two Tunneling Protocol (L2TP) over IPsec.
- L2TP over IPsec is implemented by the native Microsoft VPN client in Windows 2000, XP, and 2003. Add-on L2TP over IPsec clients are also available for other most other operating systems. You'll also need a VPN gateway that supports L2TP over IPsec. In this approach, an IPsec connection is first established in transport mode. User authentication occurs using L2TP (UDP/1701), which is encrypted by sending it over the IPsec transport.
- XAUTH is implemented by most non-Microsoft VPN clients and VPN Remote Access Concentrators. XAUTH inserts a non-standard exchange in the middle of the IKE protocol, after peer authentication but before the IPsec tunnel is established. XAUTH is vulnerable when used with group passwords that are easily guessed -- to learn more, read this Cisco advisory or article by John Pliam. However, when XAUTH is combined with a strong group secret or certificate and two-factor user authentication, risk is much lower.
The IETF is now working on a new version of IKE that will provide native support for a variety of user authentication methods, including generic token cards. To learn more, see the latest IKEv2 Internet Draft.
Dig Deeper on Network Access Control
Related Q&A from Lisa Phifer
Is there a difference between a wireless access point vs. a router? Yes -- while the two wireless devices are related, they meet different needs in a... Continue Reading
Learn the differences between site-to-site VPNs vs. remote-access VPNs and find out about the protocols, benefits and the data security methods used ... Continue Reading
Need to send an email, check your flight's status or get ready for a presentation? You can do it all on your smartwatch, thanks to a slew of Apple ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.