2.7.2. VPN Configurations Using Libreswan
- Raw RSA keys are commonly used for static host-to-host or subnet-to-subnet
IPsecconfigurations. The hosts are manually configured with each other's public RSA key. This method does not scale well when dozens or more hosts all need to setup
IPsectunnels to each other.
- X.509 certificates are commonly used for large scale deployments where there are many hosts that need to connect to a common
IPsecgateway. A central certificate authority (CA) is used to sign RSA certificates for hosts or users. This central CA is responsible for relaying trust, including the revocations of individual hosts or users.
- Pre-Shared Keys (PSK) is the simplest authentication method. PSK's should consist of random characters and have a length of at least 20 characters. Due to the dangers of non-random and short PSKs, this is the least secure form of authentication and it is recommended to use either raw RSA keys or certificate based authentication instead.