2.7.2. Methods of Authentication

It is necessary to have a pre-shared key/password/pass phrase or an X.509 certificate before trying to configure a Roadwarrior or Net-to-Net VPN connection. These are methods of authentication, which identify the user trying to access the VPN. They will be required in the VPN configuration stage.

2.7.2.1. Pre-shared Key

The pre-shared key authentication method or PSK is a very simple method that allows VPN connections to be set up quickly. For this method, you enter an authentication phrase. This can be any character string — similar to a password. This phrase must be available for authentication on IPCop and to the VPN client.

The PSK method involves fewer steps than certificate authentication. It can be used to test connectivity of a VPN and to become familiar with the procedure of establishing a VPN connection.

The pre-shared key method should not be used with Roadwarrior connections as all roadwarriors must use the same pre-shared key.

2.7.2.2. X.509 Certificates

X.509 certificates are a very secure way of connecting VPN servers. To implement X.509 certificates you must either generate or setup up the certificates on IPCop or use another certification authority on your network.

X.509 Terminology

X.509 certificates on IPCop and many other implementations are manipulated and controlled by OpenSSL. SSL, or the Secure Sockets Layer, has its own terminology.

X.509 certificates, depending on their type, may contain public and private encryption keys, pass phrases and information about the entity they refer to. These certificates are meant to be validated by Certification Authorities (Certificate Authorities) or CAs. When used by web browsers, the CA certificates of major, pay for, CAs are compiled into the browsers. To validate a host certificate, the certificate is passed to the appropriate CA to perform validation. On private networks or unique hosts, the CA may reside on a local host. In IPCop's case, this is the IPCop firewall, itself.

Certification requests are requests for X.509 certificates that are passed to CAs. The CAs in turn generate an X.509 certificate by signing the request. These are returned to the requesting entity as X.509 certificates. This certificate will be known to the CA, since it signed it.

You will see that X.509 certificates and requests can be stored on your hard drive in three different formats, usually identified by their extensions. PEM format is the default for OpenSSL. It can contain all the information associated with certificates in printable format. DER format contains just the key information and not any extra X.509 information. This is the default format for most browsers. PEM format wraps headers around DER format keys. PKCS#12, PFK or P12 certificates contain the same information as PEM files in binary format. Using the openssl command, PEM and PKCS#12 files can be transformed into their opposite number.

To use a certificate, you must import it into the other side's CA, too. The IPsec implementation on IPCop contains its own built in CA. CAs may run on roadwarrior's machines, also.

If the roadwarrior's IPsec implementation does not have CA capabilities, you can generate a certificate request, import it into IPCop so that IPCop's CA can sign it, export the resulting certificate and import it into the originating road warrior's IPsec software.