ASA L2L VPN--, same key or 2 different keys?

Mic_Jameson · ‎12-22-2022

Hello. Please clarify: Do the 2 VPN tunnel ends each share a unique key= 2 keys in total, or must they use a single same key? I'm confused because I've seen a configuration with only one key... https://youtu.be/sIbi_bYb2k4?t=365

In other words, does the below tunnel configuration snippet make sense?

#tunnel group 1.2.3.4 ipsec-attributes

#ikev2 remote-authentication pre-shared-key KeY12345$

#ikev2 local-authentication pre-shared-key kEy56789!

Thank you for your replies.

balaji.bandi · ‎12-22-2022

if this 2 Tunnels, i would suggest to use 2 different key for more security.

for Lab purpose most people use cicso123 ( on prodction you should use more secure PSK)

and shared securly each other.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Rob Ingram · ‎12-22-2022

@Mic_Jameson the example you provided makes senses, as it is using IKEv2, which allows the use of unique local PSK and a remote PSK. The local and remote PSK do not need to be the same. However the local PSK on peer 1 needs to match the remote PSK on peer 2 and remote PSK on peer 1 needs to match the local PSK on peer 2. Example:

Peer 1 local PSK - Cisco1234
Peer 1 remote PSK - 4321Cisco
Peer 2 local PSK - 4321Cisco
Peer 2 remote PSK - Cisco1234

Alternatively you could use the same local/remote PSK.

Karsten Iwen · ‎12-23-2022

Some more info to add:

It is not only different keys for remote- and local-auth that IKEv2 can do. It's also completely different auth-methods like PSK in one direction and certificates in the other.

But with all this flexibility, for the "real world" always make sure that the other side can do what you want to implement. Not all platforms allow you to use different keys for remote- and local authentication.

Mic_Jameson · ‎12-24-2022

Thank you all for your replies. May we dive deeper?...

My understanding of ISAKMP cryptography is that each side must have it own private key, because each side incorporates first its own private keying material into the AES algorithm, then second it combines the remote side's post-AES keying material into the AES algorithm so that at the end both peers share a final same symmetric key.

I understand that these initial private keys could be, for convenience, the same key-string on both sides; but in reality aren't there 2 original private keys? If so, when one side only configures a single key-string, does the software simply implicitly understand to use that key-string twice?

Perhaps I'm very confused.

I look forward to your replies. Thank you.

Karsten Iwen · ‎12-24-2022

We should not call anything here "private key" when talking about either the PSKs or the symmetric session keys. There are private keys involved when the peers do the Diffie-Hellman exchange, but they are not visible to the Admin.

For the PSK, they are used for the authentication of the peers because the DH-exchange is not MitM-safe. They don't go directly into the sessions keys that are derives by Diffie-Hellman, although they are part of the computation of the session keys.

I think you are still talking about the PSK. Here both peers need to make sure that the same key is used when one peer authenticates the other. And this authentication is dome mutually, peer1 authenticates peer2 and peer2 authenticates peer1.

MHM Cisco World · ‎12-24-2022

friend in IPsec there are many many key
the key you talk about is Yes must be same but this key is not PSK that use for auth & ID, this key is key come from DH algorithm, the DH algorithm that build key from phase1 message exchange.

MHM Cisco World · ‎12-23-2022

for IKEv1 the password must be same.
for IKEv2 the password can be same or different.