About public key authentication

You can authenticate a VPN tunnel by exchanging each host's public key with the other. During authentication, each host uses the other host's public key to decrypt the (private key encrypted) certificate it is passed as identity credentials.

This configuration doesn't need the Certificate Authority that created either host's certificate to be known to either VPN gateway. This can be useful in many ways:

  • Simplified internal management, using certificates created by an external Certificate Authority.
  • Tunneling between two separate organizations using certificates created by different (possibly external) CAs.
  • Alternative scheme to allow both ends of the tunnel to create their own Certificate Authority and default local certificates. This would enable each VPN gateway to manage their own site-to-site and road warrior connections. This achieves the same result as the previous technique described in the Multiple local certificates section.

Note: The use of public key authentication should not be considered as a direct replacement for a stringent X509 based authentication setup. While public key authentication does use some of the same technologies that constitute an X509 solution, it lacks the ability to validate certificate authenticity. As such, appropriate precautions should be taken when considering implementing this alternative authentication method.