PSK Support for Remote Secrets
Overview
StarOS CLI commands support the creation of local and remote pre-shared keys (PSKs) associated with crypto maps and crypto templates. Refer to the descriptions of the crypto map and crypto template commands in the Context Configuration Mode Commands chapter of the Command Line Interface Reference.
StarOS also allows the operator to configure a remote secret list that contains PSKs based on remote ID types. The remote secret list can contain up to 1000 entries; only one remote secret list is supported per system. The remote secret list bound to a crypto map and/or crypto template.
Each entry in the remote secret list consists of either an alphanumerical string of 1 through 255 characters, or a hexadecimal string of 16 to 444 bytes.
Implementation
-
The initiator sends an IKE_INIT_REQUEST to the responder.
-
The responder replies with an IKE_INIT_RESPONSE.
-
When the IKE_INIT_RESPONSE is received, the Initiator sends an IKE_AUTH_REQUEST to the responder along with its peer ID.
-
When the responder receives the IKE_AUTH_REQUEST, it derives the peer ID from the IKE_AUTH_REQUEST to search the remote secret list for the PSK. If the remote secret list is bound to the respective map/template, it takes the PSK from the list. Otherwise, it will take the remote PSK from the respective map or template.
Supported IKE ID Types
- ID_IP_ADDR (supports IPv4 and IPv6 address notations)
-
ID_IPV4_ADDR (IPv4 address in dotted-decimal notation)
-
ID_FQDN (Fully Qualified Domain Name
-
ID_RFC822_ADDR (Email address)
-
ID_IPV6_ADDR (IPv6 address in colon-separated notation)
-
ID_DER_ASN1_DN (Abstract Syntax Notation One – Distinguished Name)
-
ID_DER_ASN1_GN (Abstract Syntax Notation One – General Name)
-
ID_KEY_ID (Opaque byte stream)
Deployment Scenarios
A group of remote clients can be configured to use a separate pre-shared key, even if they are using the same crypto map or crypto template.
Feedback