In some cases the use of certificates for securing VPN connections can be an alternative to the otherwise widespread preshared key (PSK) method:
- Increase security of VPN client connections (with IKE Main Mode) Main Mode cannot be used when using PSK connections between peers that use dynamic IP addresses. In these cases, the aggressive mode must be used with its lower degree of security. Using certificates allows peers with dynamic IP addresses, such as dial-in computers with LANCOM Advanced VPN Client, to use the Main Mode and thus to increase the level of security.
- Higher security of the used keys and passwords Preshared keys are just as susceptible as other passwords, too. The way that users treat these passwords is a major factor in the securing of connections. With a certificate-based VPN establishment, the keys in the certificates are automatically generated with the desired key length. What's more, the random keys generated by computers offer more security from attack than the preshared keys of the same key length thought up by people.
- Possibility of authenicating remote sites When connecting with certificates oth remote stations must authenticate themselves. Further information can be contained in the certificates, which can be used for testing remote sites. The time limit of the certificates provide an additional protection, e.g. for users, who are only supposed to have access for a limited period of time.
- Providing tokens and smartcards When saving certificates on external data media the integration of “Strong Security” environments, the readout of passwords from computers of networks is inhibited.
The advantages of certificates have to be considered in relation to the considerable increase in effort of introducing and maintaining a public key infrastructure (PKI).