Can I run a VPN server with certificates only, and no password/pre-shared keys?

0

I've seen several writeups around discussing VPN server configuration. In all of them, there are 2 or 3 pre-shared keys / passwords used at various levels of the tunnel -- one for IPSec, one for L2TP, one for PPP.

This seems silly. I've always been of the opinion, why use a (relatively) tiny, insecure password when you can use a software token of arbitrary length?

At best, though, I've seen the suggestion to use racoon to handle certificate-based authentication at the IPSec layer. That still leaves 2 other layers to worry about. Can I do better? If not, would it be possible / secure to omit the PSK at 2 of the 3 layers and still restrict use to authorized accounts?

I'm specifically looking for something that works well cross-platform, with both mobile and desktop clients. I'm also more concerned with IP masquerading than security, so "best" encryption is not a concern.

James B

Posted 2014-02-07T11:41:30.163

Reputation: 369

Answers

0

When you are open to other VPN Solutions i would recommend an OpenVPN setup, it is much easier to configure, supports certificate authentication and there are plenty of clients for all platforms.

OpenVPN Website

it ships with easyrsa3 for easy PKI management.

Easy-RSA PKI Setup

With this PKI Setup you can generate the clients for the server and all clients and distribute them in pkcs12-format

It is much easier to setup and maintain than any IPSec implementation i have seen so far.

os_1

Posted 2014-02-07T11:41:30.163

Reputation: 76

Asked: 2014-02-07T11:41:30.163

Viewed: 158 times

Active: 2014-10-28T08:28:48.833