As discussed earlier, the use of pre-shared keys for IKE
authentication works well only when there are few IPSec peers. Although there
are a number of methods for authentication, using a CA server is the most
scalable solution. Other IKE authentication methods require manual intervention
to generate and distribute the keys on a per-peer basis. When using the PIX
Security Appliance to implement IPSec VPNs using digital certificates, the CA
server enrollment process can be largely automated so that it scales well to
large deployments. Each PIX that is to be configured as an IPSec peer
individually enrolls with the CA server and obtains public and private
encryption keys compatible with other peers that are enrolled with the server
.
The PIX
Security Appliance supports the following CA servers:
- Cisco IOS Certificate Server
- Baltimore Technologies
- Entrust
- Microsoft Certificate Services
- Netscape CMS
- RSA Keon
- VeriSign