Eicon logo
Safepipe and security Networking with Safepipe VPN Clients
Safepipe Centre > Questions and Answers
Documentation
Printed guides
HowTo setup guides
Questions and answers
Questions and answers
Reference
Encyclopedia
Other resources
Training
Self-test courses
Download
Software and Release notes
Administration Tool
Support
Link to Eicon Networks Support



Are there instances when I should use X.509 certificates over shared secrets?

Yes there are indeed. During the authentication process with shared secrets, the two Safepipes on a tunnel exchange IP addresses for verification – in fact tunnel configuration requires that the public IP addresses of the two Safepipes are entered in the appropriate fields. Because the IP addresses must be known with shared secrets, this type of authentication will not be applicable with dynamic IP addressing.

X.509 certificates can be used whether the public IP address is known or not. Certificates function by having all VPN devices agree on one trusted party called the 'Certificate Authority' or 'CA'. The CA signs each Safepipe X.509 certificate, including its own (if the CA is a Safepipe), and with these signed certificates, the devices can authenticate each other. There is no verification of IP addresses during the authentication process. This means that when dynamic IP addressing is utilised or the public IP address of one Safepipe is otherwise unknown, then X.509 certificates must be used.

From Safepipe version 2.3, dynamic IP addressing through PPPoE and DHCP are supported. It is important to note that at least one of the Safepipes on a tunnel must have a static public IP address. The Safepipe with the dynamic IP address must always initiate the tunnel.

Line
© 2001 Eicon Networks