topic Re: ikev2 remote-authentication and ikev2 local-authentication in Network Security

ikev2 remote-authentication and ikev2 local-authentication

ravindra962 — Mon, 13 Jan 2020 19:22:57 GMT

Hello Guys

I am kind of New to Cisco ASA. I Used to configure VPN tunnels in Checkpoint, but there used to be Only one PSK.

With Cisco 9.8 ASA Code you can put two PSK's for local and remote. I understood how these two PSK's work with bi-directional authentication.

Here what I am wondering is, If I am building a L2L VPN tunnel where both the peers are Cisco ASA, I can use two different PSK's for local and remote authentication but if the other Peer is not an ASA (Checkpoint, Paloalto etc) then does both (local and remote) the PSK has to be same?

Re: ikev2 remote-authentication and ikev2 local-authentication

Sheraz.Salim — Mon, 13 Jan 2020 19:28:41 GMT

if you asking for l2l vpn with ikev2 yes you can mix match the local pre-shared key and remote-preshared key. I am not following you are you asking for anyconnect vpn or asking for l2l site to site vpn

Re: ikev2 remote-authentication and ikev2 local-authentication

ravindra962 — Mon, 13 Jan 2020 19:30:10 GMT

I am asking for L2L VPN with a 3rd party Vendor like Checkpoint or Palo Alto

Re: ikev2 remote-authentication and ikev2 local-authentication

Sheraz.Salim — Mon, 13 Jan 2020 19:39:32 GMT

on cisco ASA with l2l ikev1 there is only one pre-shared-key. however with ikev2 l2l you can configured a local pre-shared key and remote preshared key. other thing for ikev2 pre-share-key local and remote keys can be different. they dont need to be the same. however you have to make sure on the other side its Vic-versa.

see this example for ikev2 site-to-site vpn https://www.petenetlive.com/KB/Article/0001429

Re: ikev2 remote-authentication and ikev2 local-authentication

ravindra962 — Mon, 13 Jan 2020 19:44:43 GMT

Hello

Thank you Very much for providing such a detailed explanation.

My question is, for example let's Say I am building a ikev2 L2L VPN tunnel between my Peer which is a Cisco ASA and my client peer which is a Checkpoint

Now if i Configure the local and Remote PSK's on my ASA I need to give these PSK's to my Client so that they can configure this PSK's on their end. If my local and Remote PSK's are different which PSK should I share with my client so that the Phase-1 authentication will be successful because I know for sure on checkpoint you can enter only one PSK per L2L VPN tunnel

PetesASA(config-tunnel-ipsec)# remote-authentication pre-shared-key 1234567890
PetesASA(config-tunnel-ipsec)# local-authentication pre-shared-key 0987654321

Re: ikev2 remote-authentication and ikev2 local-authentication

Sheraz.Salim — Mon, 13 Jan 2020 20:25:32 GMT

you have to give local and remote pre-share-key to remote site. if this is a security concern why dont you use the certificate?

let say this is your config

ASA(config-tunnel-ipsec)# remote-authentication pre-shared-key 1234567890
ASA(config-tunnel-ipsec)# local-authentication pre-shared-key 0987654321

now your remote site have config like this

ASA(config-tunnel-ipsec)# remote-authentication pre-shared-key 0987654321
ASA(config-tunnel-ipsec)# local-authentication pre-shared-key 1234567890

Re: ikev2 remote-authentication and ikev2 local-authentication

ravindra962 — Mon, 13 Jan 2020 20:26:08 GMT

It's not about Security Concern, in checkpoint you do not have an option to Put a Local PSK and Remote PSK. You can only put one PSK. So I just want to know if I have to use same PSK for both Local and Remote

Re: ikev2 remote-authentication and ikev2 local-authentication

Sheraz.Salim — Mon, 13 Jan 2020 20:33:26 GMT

for ikev2 you can use the same preshared key for local and remote authentication.