0
I've seen several writeups around discussing VPN server configuration. In all of them, there are 2 or 3 pre-shared keys / passwords used at various levels of the tunnel -- one for IPSec, one for L2TP, one for PPP.
This seems silly. I've always been of the opinion, why use a (relatively) tiny, insecure password when you can use a software token of arbitrary length?
At best, though, I've seen the suggestion to use racoon
to handle certificate-based authentication at the IPSec layer. That still leaves 2 other layers to worry about. Can I do better? If not, would it be possible / secure to omit the PSK at 2 of the 3 layers and still restrict use to authorized accounts?
I'm specifically looking for something that works well cross-platform, with both mobile and desktop clients. I'm also more concerned with IP masquerading than security, so "best" encryption is not a concern.