I have two scenarios which I would like to hear your comments about:
This is in regards to configuration of IKEV1 and IKEV2 in two different profiles and comparing their security level.
When configuring IKEV1, I use shared secret keys. A client must know this secret key to be able to VPN to a server.
When configuring IKEV2, I use identity certificates in the ASA for the users to authenticate the server identity, but I do not configure SCEP for server to authenticate the clients. In this scenario there is no secret key configured (IKEV2 does not allow for secret keys but ONLY certificates) so any client can VPN to the server if accepts the server certificate.
Both of the above configs are only for IPSEC. I am not talking about any SSL VPN.
I know that implementing SCEP would be ideal and better security, but my question is only to compare the above two scenarios.
- RFC mandated certificate authentication for IKEv2 remote access users. You can still use pre-shared keys for other types. Certificate auth mandates that both sides present a certificate to authenticate eachother.
- SCEP is not a security mechanism per se, it's a way to enroll certificates (plus a few added functions).
- Certificates are more secure than PSK in many ways (as long as private keys remain private ;])
- You should still perform normal EAP authentication for remote access users.
I have configured an ASA with IPSEC IKEV2 remote access VPN where only server authentication through "Identity certificate" is required. The steps I have done.
- created a CSR on the ASA
- sent it to public CA and received the cert and installed it on the ASA
- Installed the CA's cert chain on the client computer.
So if I understand correctly, this allows only for server authentication which works perfectly. You mention that mutual authentication of server and client is an "RFC mandate". (If I understand it correctly) so is it that Cisco's implementation is not compliant with RFC mandate?
And although the above configuration is using certificates, it is still weaker security compared to PSK because it is only one way authentication (only server authentication). Is this right? do you understand this the same way I understand?
Now if I plan to implement two-way or mutual authentication of both server and client, I have either to use the ASA as Certificat Authority to authenticate clients or use another PKI infrastructure (like windows servers) to do the client authentication. This way I believe would be the most secure and of course costs more in terms of setting a PKI infrastructure. Any comment or any other way of doing it?
this reason, these protocols are typically used to authenticate the
initiator to the responder and MUST be used in conjunction with a
public key signature based authentication of the responder to the