beautypg.com

Pre-shared keys, Using a pre-shared key – Amer Networks E5Web GUI User Manual

Page 593

background image

9.3.7. Pre-shared Keys

Pre-Shared Keys are used to authenticate VPN tunnels. The keys are secrets that are shared by
the communicating parties before communication takes place. To communicate, both parties
prove that they know the secret. The security of a shared secret depends on how "good" a
passphrase is. Passphrases that are common words are extremely vulnerable to dictionary
attacks.

Pre-shared Keys can be generated automatically through the Web Interface but they can also be
generated through the CLI using the command pskgen (this command is fully documented in the
CLI Reference Guide).

Beware of Non-ASCII Characters in a PSK on Different Platforms!

If a PSK is specified as a passphrase and not a hexadecimal value, the different encodings on
different platforms can cause a problem with non-ASCII characters. Windows, for example,
encodes pre-shared keys containing non ASCII characters in UTF-16 while cOS Core uses UTF-8.
Even though they can seem the same at either end of the tunnel there will be a mismatch and
this can sometimes cause problems when setting up a Windows L2TP client that connects to cOS
Core.

Example 9.2. Using a Pre-Shared key

This example shows how to create a Pre-shared Key and apply it to a VPN tunnel. Since regular
words and phrases are vulnerable to dictionary attacks, they should not be used as secrets. Here
the pre-shared key is a randomly generated hexadecimal key. Note that this example does not
illustrate how to add the specific IPsec tunnel object.

Command-Line Interface
First create a Pre-shared Key. To generate the key automatically with a 64 bit (the default) key,
use:

Device:/> pskgen MyPSK

To have a longer, more secure 512 bit key the command would be:

Device:/> pskgen MyPSK -size=512

Or alternatively, to add the Pre-shared Key manually, use:

Device:/> add PSK MyPSK Type=HEX PSKHex=

Now apply the Pre-shared Key to the IPsec tunnel:

Device:/> set Interface IPsecTunnel MyIPsecTunnel PSK=MyPSK

InControl

Follow the same steps used for the Web Interface below.

Web Interface

First create a Pre-shared Key:

1.

Go to: Objects > Key Ring > Add > Pre-shared key

Chapter 9: VPN

593

This manual is related to the following products:
See also other documents in the category Amer Networks Computer Accessories: