It looks as if the new firmware will support loadable X.509 certificates for SSL authentication, at least for QuickVPN. Once there is some x.509 certificate infrastructure, it should be easier to add support certificate-based authentication to IPsec. The original open source code (Openswan) does support x.509, so it should be a small step. If anyone has the ear of Linksys, would they please suggest this? Thanks. Why would this be useful? Preshared key authentication (the only authentication currently supported (contrary to the manual)) does not scale well. Unless you can distinguish identities based on IP address, or use Aggressive Mode for Phase I, all peers must use the same preshared key. This means that you cannot have policies that treat peers differently. In this day and age, many systems don't have static IP addresses so distinguishing based on IP address is impractical (even if it did work, it would be a maintenance nightmare for a VPN with more than a few gateways). Aggressive Mode is known to be insecure and should not be used. [I admit that different PSKs could be used, with the authentication trying each of them until one worked. That scales badly and was not implemented in FreeS/WAN (I would have been the one to implement it, and I didn't). I don't think that it would have been added to the WRV200 version of the code.] Distributing a preshared key is significantly more difficult than distributing a certificate (or bare public key, but that is another topic). Certificates use a public-key cryptosystem so you can just publish the certificate. The preshared key must be kept secret, and yet distributed. On top of that key rollover (replacing old keys with new) is a nightmare with PSKs because it must be done simultaneously at all sharing sites. Key rollover is a necessary part of cryptographic hygiene. Summary: there are good technical reasons to support x.509 authentication in IPsec, the underlying code (Openswan) supports it, new infrastructure adds certificate management to the WRV200, so it looks like a no-brainer.