ISEKI CISCO SYSTEMS OL-5450-10 User Manual

New Features in Release 4.0.5

10

Release Notes for VPN Client, Release 4.0 through Release 4.0.5.D

OL-5450-10

Group Authentication is a method that uses pre-shared keys for mutual
authentication. In this method, the VPN Client and the VPN central-site device
use a group name and password to validate the connection. This is a symmetrical
form of authentication since both sides use the same authentication method during
their negotiations.

Mutual group authentication is asymmetrical in that each side uses a different
method to authenticate the other while establishing a secure tunnel to form the
basis for group authentication. In this method, authentication happens in two
stages. During the first stage, the VPN central-site device authenticates itself
using public-key techniques (digital signature) and the two sides negotiate to
establish a secure channel for communication. During the second stage, the actual
authentication of the VPN Client user by the central-site VPN device takes place.
Since this approach does not use pre-shared keys for peer authentication, it
provides greater security than group authentication alone, as it is not vulnerable
to a man-in-the-middle attack.

To use mutual group authentication, the remote user’s VPN Client system must
have a root certificate installed. If needed, you can install a root certificate
automatically by placing it on the VPN Client system during installation. The
certificate must be in a file named rootcert, with no extension, and must be placed
in the installation directory for the remote user’s VPN Client system.

For more information on mutual group authentication, see the VPN Client
Administrator Guide, Chapter 1.

You must configure both the VPN Client and the VPN Concentrator to allow
mutual group authentication (Hybrid mode). Ensure that the Certificate Authority
being used on both the VPN Client and the VPN Concentrator is the same.
Configure the VPN Concentrator in a similar fashion to the use of User
Certificates.

1.

Select an IKE Proposal that allows HYBRID mode authentication such
as those listed in Table 8-3 of the VPN Client Administrator's Guide.
HYBRID-AES256-SHA-RSA for example.

2.

Configure an IPSec SA to use the appropriate Identity Certificate to be
authenticated with the CA certifcate of the VPN Client. If certificates
have not yet been obtained for the VPN Concentrator, please refer to the
VPN 3000 Series Concentrator Reference Volume I: Configuration
Release 4.1.