Solved: Site-to-Site VPN password best practices

Travis-Fleming · ‎08-02-2021

Hello, we have 15+ home users with Cisco C881k9 routers that are doing an automatic ikev2 site-to-site VPN connection back to our head-end VPN concentrating Cisco ASA 5525-X firewall. The home users obviously have DHCP public IP addresses.

Does anyone else ever go through and change the keystring password for your peer VPN on an annual, bi-annual basis? IN reading cisco best practice documentation they just say to pick a very secure password, but nothing on password age.

I understand changing that password would have a lot of moving parts to it, but from a security standpoint my manager was asked from his manager on the ability to do that. Sounds odd to me, but I have to ask.

Rob Ingram · ‎08-02-2021

@Travis-Fleming

No, I've never seen any cisco guidelines on when to change PSK, normally the recommendation is to secure VPN authentication using certificates. Generally I would make the PSK random, long, complex and unique per peer is good practice and use Next Generation Encryption (NGE) algorithms.

View solution in original post

Rob Ingram · ‎08-02-2021

@Travis-Fleming

No, I've never seen any cisco guidelines on when to change PSK, normally the recommendation is to secure VPN authentication using certificates. Generally I would make the PSK random, long, complex and unique per peer is good practice and use Next Generation Encryption (NGE) algorithms.

Travis-Fleming · ‎08-02-2021

Thanks, not sure why I didn't think of the cert deal, that sounds like a winner to me.

Marvin Rhoads · ‎08-02-2021

Rotating certificates is how most SD-WAN solutions change out the "keys" on tier IPsec tunnel overlays.