You must configure a site-to-site VPN connection between your company and a business partner. The security policy of your organization states that the source of incoming traffic must be authenticated by a neutral party to prevent spoofing of an unauthorized source gateway.
What accomplishes this goal?
Use a manual key exchange to encrypt/decrypt traffic.
Generate internal Diffie-Hellman public/private key pairs on each VPN device and exchange public keys with the business partner.
Use a third-party certificate authority and exchange public keys with the business partner.
Use a private X.509 PKI certificate and verify it against a third-party certificate revocation list (CRL).