Pre-Shared Keys are used to authenticate VPN tunnels. The keys are secrets that are shared by the
communicating parties before communication takes place. To communicate, both parties prove that
they know the secret. The security of a shared secret depends on how "good" a passphrase is.
Passphrases that are common words are extremely vulnerable to dictionary attacks.
Pre-shared Keys can be generated automatically through the WebUI but they can also be generated
through the CLI using the command pskgen (this command is fully documented in the CLI
Reference Guide).
Beware of Non-ASCII Characters in a PSK on Different Platforms!
If a PSK is specified as a passphrase and not a hexadecimal value, the different encodings on
different platforms can cause a problem with non-ASCII characters. Windows, for example, encodes
pre-shared keys containing non ASCII characters in UTF-16 while NetDefendOS uses UTF-8. Even
though they can seem the same at either end of the tunnel there will be a mismatch and this can
sometimes cause problems when setting up a Windows L2TP client that connects to NetDefendOS.
Example 9.2. Using a Pre-Shared key
This example shows how to create a Pre-shared Key and apply it to a VPN tunnel. Since regular words and
phrases are vulnerable to dictionary attacks, they should not be used as secrets. Here the pre-shared key is a
randomly generated hexadecimal key. Note that this example does not illustrate how to add the specific IPsec
tunnel object.
CLI
First create a Pre-shared Key. To generate the key automatically with a 64 bit (the default) key, use:
gw-world:/> pskgen MyPSK
To have a longer, more secure 512 bit key the command would be:
gw-world:/> pskgen MyPSK -size=512
Or alternatively, to add the Pre-shared Key manually, use:
gw-world:/> add PSK MyPSK Type=HEX PSKHex=<enter the key here>
Now apply the Pre-shared Key to the IPsec tunnel:
gw-world:/> set Interface IPsecTunnel MyIPsecTunnel PSK=MyPSK
Web Interface
First create a Pre-shared Key:
1.
Go to Objects > Authentication Objects > Add > Pre-shared key
2.
Enter a name for the pre-shared key, for example MyPSK
3.
Choose Hexadecimal Key and click Generate Random Key to generate a key to the Passphrase textbox
4.
Click OK
Then, apply the pre-shared key to the IPsec tunnel:
1.
Go to Interfaces > IPsec
2.
In the grid control, click the target IPsec tunnel object
3.
Under the Authentication tab, choose Pre-shared Key and select MyPSK
4.
Click OK
9.3.8. Identification Lists
Chapter 9. VPN
343
Содержание 800 - DFL 800 - Security Appliance
Страница 24: ...1 3 NetDefendOS State Engine Packet Flow Chapter 1 NetDefendOS Overview 24 ...
Страница 69: ...2 6 4 Restore to Factory Defaults Chapter 2 Management and Maintenance 69 ...
Страница 121: ...3 9 DNS Chapter 3 Fundamentals 121 ...
Страница 166: ...interfaces without an overriding IGMP Setting Default 1 000 4 6 4 Advanced IGMP Settings Chapter 4 Routing 166 ...
Страница 181: ...4 7 5 Advanced Settings for Transparent Mode Chapter 4 Routing 181 ...
Страница 192: ...5 5 IP Pools Chapter 5 DHCP Services 192 ...
Страница 282: ...6 7 Blacklisting Hosts and Networks Chapter 6 Security Mechanisms 282 ...
Страница 300: ...mechanism 7 3 7 SAT and FwdFast Rules Chapter 7 Address Translation 300 ...
Страница 301: ...7 3 7 SAT and FwdFast Rules Chapter 7 Address Translation 301 ...
Страница 303: ... Changed on a regular basis such as every three months 8 1 Overview Chapter 8 User Authentication 303 ...
Страница 318: ...8 3 Customizing HTML Pages Chapter 8 User Authentication 318 ...
Страница 322: ...ALG 9 1 5 The TLS Alternative for VPN Chapter 9 VPN 322 ...
Страница 377: ...Management Interface Failure with VPN Chapter 9 VPN 377 ...
Страница 408: ...10 4 6 SLB_SAT Rules Chapter 10 Traffic Management 408 ...
Страница 419: ...11 5 HA Advanced Settings Chapter 11 High Availability 419 ...
Страница 426: ...12 3 5 Limitations Chapter 12 ZoneDefense 426 ...
Страница 449: ...13 9 Miscellaneous Settings Chapter 13 Advanced Settings 449 ...