Home Page

VPN & Cryptography


Email & Spam

Security Terminology


VPN Terminology

VPN Tutorial Guide



Aggressive Mode

Authentication Header

Asymmetric Encryption


Certification Authority

Data Integrity



Digital Certificate

Dynamic IP addresses





IPSec Quick Mode


Main Mode







Pre-Shared Key

Remote Access User


Security Association


Site to Site VPN


Transform Sets

Tunnel mode and Transport mode

VPN client tunneling option

VPN Topologies

VPN Tunnel


VPN Authentication - IPsec VPN Tutorial Guide



Authentication is used to prove a user or entity is allowed access, and so provides a form of access control. For example when your logging on to your Windows desktop, and when you specify a username and password at the logon screen, you are authenticating yourself. You are telling Windows you're a valid and authenticated user, and you prove this by providing a username and password.

Generally speaking, there are two types of authentication methods used within site-to-site VPN gateways, and these are either pre-shared keys or digital signatures. By using a pre-shared key, two organisations who want to setup a VPN tunnel between each other would configure and share the same key on their VPN devices to be able to authenticate to each other. Although this is not a scalable option in large networks, majority of VPN requirements are simple site-to-site VPN deployments between two parties, and therefore a pre-shared key is more than sufficient and simple to setup. A pre-shared key by the way, is like a password, made up of multiple random characters, that will be shared between the parties who are creating a VPN tunnel between their VPN devices, and the more complex and longer the key is, the more secure.

Using digital Certificates is a scalable option; however, the digital certificates would have to be purchased from a CA (Certification Authority) such as Verisign, GoDaddy and others. With that being said, it's also possible to use an internal public key infrastructure (PKI). This is a very common scenario where the head office has multiple VPN connections setup to remote branch offices, and all firewalls obtain certificates from the organisation's enterprise internal certificate authority server. A third option is, to setup one of the firewalls as an internal certificate authority, which is able to generate certificates for both ends of the VPN connection.

Another option for VPN authentication is with the use of Xauth (extended authentication) where additional user authentication is required usually through the use of LDAP or Radius authentication protocols. However this is usually used when setting up remote / mobile user VPN. This is executed at the end of phase 1 negotiation.

From a general standpoint, authentication is actually part of a three phase process, which are, identification, authentication and authorisation. In the example of Windows operating system, identification is your username, you’re identifying yourself to Windows. Once you have identified yourself, Windows would need your password to prove you are who you say you are. This step is the authentication, which would also allow you to access and prove to Windows you are in fact 'Joe' and you are a valid user. When you’re authenticated, Windows will give you access to only the services you are allowed to use, and this is called authorisation. For example you may be a limited user, and so you would not be able to make administrative changes, or changes to the system controls, uninstall reinstall programs, etc. However, as a limited user, you will be allowed / authorised to access programs, save your files and folders and browse the internet. If you are authenticating to a domain controller in your office however, then you may be authorised to access certain file servers on the network, depending on who you are, and which groups you belong to within Active Directory.

Further Reading

Wikipedia's guide to Authentication