Libreswan based Ipsec VPN using preshared and RSA keys on Ubuntu

Contact us

The RFC states it as such: Preshared keys are not actually sent across the network, but they are used with nonce and DH secret to generate a session key that Dan talks in his answer. Your answer is in your question: And as a result, they created a special method for verifying that each party has the correct PSK, without actually sharing it across the wire. Would you like to answer one of these unanswered questions instead? This is described in the RFC here:

Pre-Shared Keys in IPsec

ARCHIVED: What is a pre-shared key or shared secret?

I am trying to understand why do we really use those pre-shared keys when creating a IPSec tunnel. From all the reading that I have done the DH group creates the keys that are used to do the actual data encryption, hope I am correct.

If yes, the pre-shared keys are used only for the authentication? The role of preshared key or certificate is to authenticate the other peer. Even if connection is encrypted, you need to know that the peer you are establishing connection with is the one it should be. Encryption provides confidentiality in the connection and preshared key that only you and the other party knows provides the authentication.

It also has another role. It is used in the DH calculation to generate the session keys. This gives the communicating parties a way to generate fresh session keys without additional key sharing, making it practical to change session keys frequently. By doing so, they can minimize the impact of a single compromised session key. Note that, by design, compromising a session key should not help an attacker compromise the preshared key and therefore other session keys.

By clicking "Post Your Answer", you acknowledge that you have read our updated terms of service , privacy policy and cookie policy , and that your continued use of the website is subject to these policies.

What happens if an attacker catches my PSKs? Since the PSKs must be configured on each side only once, it should be no problem to write letters on the firewall. Thereby, a really complex key can be generated and used for the authentication of the VPN peer. Here are my tips:. What exactly do you mean? This must be a firewall feature, but I have not heard of a feature like that. Or do you mean whether it is a security issue if the PSK is never changed?

Maybe it is exposed through another way social engineering, etc. So, in my opinion, a PSK change every years is a good choice. But even more it is relevant to check every years if appropriate security algorithms ciphers are used for phase 1 and phase 2. Imagine that we have several embedded devices that they need to authenticate whenever they want to communicate with each other. Do you think that authentication with PSK is a good idea? Do you know of any mechanism with which we can securely distribute the PSK to all these devices?

Or should we configure the PSK seperately on each device? If you have multiple embedded devices, you should consider using authentication via certificates. There are options to distribute certificates automatically. If you are a company that has static VPN tunnels that do not change that often i. The PSK must be configured only once! It must not be changed later on. It allows two parties to securely generate a PSK without having either party transmit it to the other party.

IFM - IPSec Pre-shared Key (PSK) Generator

Leave a Reply

A tool to generate a PSK for IPSec without requiring either party to send it to the other party. Pre-Shared Keys in IPsec. The following section is related to site-to-site VPNs only and NOT to remote access VPNs. The pre-shared key . Internet Protocol security (IPsec) can use preshared keys for authentication. Preshared means that the parties agree on a shared, secret key that is used for authentication.