Solved: Re: ikev2 remote-authentication and ikev2 local-authentication

ravindra962 · ‎01-13-2020

Hello Guys

I am kind of New to Cisco ASA. I Used to configure VPN tunnels in Checkpoint, but there used to be Only one PSK.

With Cisco 9.8 ASA Code you can put two PSK's for local and remote. I understood how these two PSK's work with bi-directional authentication.

Here what I am wondering is, If I am building a L2L VPN tunnel where both the peers are Cisco ASA, I can use two different PSK's for local and remote authentication but if the other Peer is not an ASA (Checkpoint, Paloalto etc) then does both (local and remote) the PSK has to be same?

Sheraz.Salim · ‎01-13-2020

for ikev2 you can use the same preshared key for local and remote authentication.

please do not forget to rate.

View solution in original post

Sheraz.Salim · ‎01-13-2020

if you asking for l2l vpn with ikev2 yes you can mix match the local pre-shared key and remote-preshared key. I am not following you are you asking for anyconnect vpn or asking for l2l site to site vpn

please do not forget to rate.

ravindra962 · ‎01-13-2020

I am asking for L2L VPN with a 3rd party Vendor like Checkpoint or Palo Alto

Sheraz.Salim · ‎01-13-2020

on cisco ASA with l2l ikev1 there is only one pre-shared-key. however with ikev2 l2l you can configured a local pre-shared key and remote preshared key. other thing for ikev2 pre-share-key local and remote keys can be different. they dont need to be the same. however you have to make sure on the other side its Vic-versa.

see this example for ikev2 site-to-site vpn https://www.petenetlive.com/KB/Article/0001429

please do not forget to rate.

ravindra962 · ‎01-13-2020

Hello

Thank you Very much for providing such a detailed explanation.

My question is, for example let's Say I am building a ikev2 L2L VPN tunnel between my Peer which is a Cisco ASA and my client peer which is a Checkpoint

Now if i Configure the local and Remote PSK's on my ASA I need to give these PSK's to my Client so that they can configure this PSK's on their end. If my local and Remote PSK's are different which PSK should I share with my client so that the Phase-1 authentication will be successful because I know for sure on checkpoint you can enter only one PSK per L2L VPN tunnel

PetesASA(config-tunnel-ipsec)# remote-authentication pre-shared-key 1234567890
PetesASA(config-tunnel-ipsec)# local-authentication pre-shared-key 0987654321

Sheraz.Salim · ‎01-13-2020

you have to give local and remote pre-share-key to remote site. if this is a security concern why dont you use the certificate?

let say this is your config

ASA(config-tunnel-ipsec)# remote-authentication pre-shared-key 1234567890
ASA(config-tunnel-ipsec)# local-authentication pre-shared-key 0987654321

now your remote site have config like this

ASA(config-tunnel-ipsec)# remote-authentication pre-shared-key 0987654321
ASA(config-tunnel-ipsec)# local-authentication pre-shared-key 1234567890

please do not forget to rate.

ravindra962 · ‎01-13-2020

It's not about Security Concern, in checkpoint you do not have an option to Put a Local PSK and Remote PSK. You can only put one PSK. So I just want to know if I have to use same PSK for both Local and Remote

Sheraz.Salim · ‎01-13-2020

for ikev2 you can use the same preshared key for local and remote authentication.

please do not forget to rate.