cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1942
Views
0
Helpful
3
Replies

Site-to-Site VPN password best practices

Travis-Fleming
Level 1
Level 1

Hello, we have 15+ home users with Cisco C881k9 routers that are doing an automatic ikev2 site-to-site VPN connection back to our head-end VPN concentrating Cisco ASA 5525-X firewall. The home users obviously have DHCP public IP addresses.

 

Does anyone else ever go through and change the keystring password for your peer VPN on an annual, bi-annual basis? IN reading cisco best practice documentation they just say to pick a very secure password, but nothing on password age.

 

I understand changing that password would have a lot of moving parts to it, but from a security standpoint my manager was asked from his manager on the ability to do that. Sounds odd to me, but I have to ask.

1 Accepted Solution

Accepted Solutions

@Travis-Fleming 

No, I've never seen any cisco guidelines on when to change PSK, normally the recommendation is to secure VPN authentication using certificates. Generally I would make the PSK random, long, complex and unique per peer is good practice and use Next Generation Encryption (NGE) algorithms.

View solution in original post

3 Replies 3

@Travis-Fleming 

No, I've never seen any cisco guidelines on when to change PSK, normally the recommendation is to secure VPN authentication using certificates. Generally I would make the PSK random, long, complex and unique per peer is good practice and use Next Generation Encryption (NGE) algorithms.

Thanks, not sure why I didn't think of the cert deal, that sounds like a winner to me.

Rotating certificates is how most SD-WAN solutions change out the "keys" on tier IPsec tunnel overlays.

Review Cisco Networking for a $25 gift card