About public key authentication

You can authenticate a VPN tunnel by exchanging each host's public key with the other. During authentication, each host uses the other host's public key to decrypt the (private key encrypted) certificate it is passed as identity credentials.

This configuration doesn't need the Certificate Authority that created either host's certificate to be known to either VPN gateway. This can be useful in many ways:

Note: The use of public key authentication should not be considered as a direct replacement for a stringent X509 based authentication setup. While public key authentication does use some of the same technologies that constitute an X509 solution, it lacks the ability to validate certificate authenticity. As such, appropriate precautions should be taken when considering implementing this alternative authentication method.

Something not right? .