Internet Protocol Security |
A rule can specify multiple authentication methods to ensure a common method is found when negotiating with a peer.
IPSec supports all of the following authentication methods:
Windows 2000 IKE has basic compatibility with several certificate systems, including those offered by Microsoft, Entrust, VeriSign, and Netscape. IKE uses the Cryptographic API version 2.0 (CAPIv2) functionality of Windows 2000 for processing certificates. IKE does not require a specific type of certificate, only that it be resident in the computer account, have a valid signature, a valid trust chain, and is used within the period of validity.
Certificates obtained from the Microsoft Certificate Services with the advanced option set for strong private key protection will not work for IKE authentication. You must select the certificate authority that issued your computer a certificate, or its issuing root certificate authority (CA).
Coordination with the administrator of the remote computer is required to agree on certificate configuration. Otherwise, IKE negotiation may fail. For detailed information about certificates, CA configuration, and certificate revocation see the chapters under "Distributed Security" in the Distributed Systems Guide.
Microsoft does not recommend frequent use of pre-shared key authentication, because the authentication key is stored, unprotected, in the IPSec policy. Pre-shared key methodology is provided only for interoperability purposes and to adhere to the IPSec standards set forth by the IETF. To safely use this authentication method, the policy must be restricted to administrator-only read and write access, encrypted for privacy when communicated between the domain controller and domain member computers, and restricted to system-only read access on each computer.
Using Kerberos or certificate-based authentication is recommended, to avoid security risks associated with pre-shared key authentication.