08-02-2021 11:24 AM
Hello, we have 15+ home users with Cisco C881k9 routers that are doing an automatic ikev2 site-to-site VPN connection back to our head-end VPN concentrating Cisco ASA 5525-X firewall. The home users obviously have DHCP public IP addresses.
Does anyone else ever go through and change the keystring password for your peer VPN on an annual, bi-annual basis? IN reading cisco best practice documentation they just say to pick a very secure password, but nothing on password age.
I understand changing that password would have a lot of moving parts to it, but from a security standpoint my manager was asked from his manager on the ability to do that. Sounds odd to me, but I have to ask.
Solved! Go to Solution.
08-02-2021 11:39 AM
No, I've never seen any cisco guidelines on when to change PSK, normally the recommendation is to secure VPN authentication using certificates. Generally I would make the PSK random, long, complex and unique per peer is good practice and use Next Generation Encryption (NGE) algorithms.
08-02-2021 11:39 AM
No, I've never seen any cisco guidelines on when to change PSK, normally the recommendation is to secure VPN authentication using certificates. Generally I would make the PSK random, long, complex and unique per peer is good practice and use Next Generation Encryption (NGE) algorithms.
08-02-2021 11:48 AM
Thanks, not sure why I didn't think of the cert deal, that sounds like a winner to me.
08-02-2021 12:48 PM
Rotating certificates is how most SD-WAN solutions change out the "keys" on tier IPsec tunnel overlays.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide