PKI Application in IPSec VPN
On the network shown in Figure 1, the firewalls function as egress gateways of network A and network B. The internal users of the two networks communicate through the Internet. To ensure data security over the Internet, the firewalls have IPSec configured to set up an IPSec tunnel. Generally, IPSec can use pre-shared key to negotiate the IPSec tunnel. However, using a pre-shared key on a large network is not secure and time consuming. To address this problem, the devices can use PKI certificates to authenticate each other in PKI tunnel setup.
After PKI is configured, communicating parties authenticate each other during IKE negotiation. This ensures security in key exchange. In addition, the certificate provides a centralized key management function for IPSec and enhances scalability of the entire IPSec network. On an IPSec network with PKI configured, each device has a locate certificate issued by the PKI authentication center. When a new device is deployed, the new device can securely communicate with other devices by applying for a certificate, and the configurations on other devices do not need to be modified. This greatly reduces configuration workload.