Regarding pre-shared key management on router

vaishalin · ‎10-01-2012

Hi Team,

I would like to know about pre-shared key configured on router.

While configuring site-to-eite VPN on two routers we are using pre-shared keys.

Now we are configuring manually keys on both routers statically.

Can we use any router as key management server who will change pre shared keys dynamically.

Regards

Vaishali

Javier Portuguez · ‎10-01-2012

Hi,

Are you referring to GET VPN?

Thanks.

Portu.

Karsten Iwen · ‎10-01-2012

The router doesn't have any management-features for PSKs. In general they are not changed very often which is not a really good practice. But to still be secure there are two ways to secure your VPN:

1) Use really long PSKs (they can be up to 128 characters and should be completely ramdon) and configure PSK-encryption. Use different PSKs for different VPNs

2) Change the authentication to RSA-Sig with digital certificates. The IOS-router has a build-in CA, so that's a little bit the management-server you are looking for.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Javier Portuguez · ‎10-01-2012

In case you were not talking about a Key server like in GET VPN, then check Karsten's post (5 stars).

At this point, you could use the LOCAL CA server of IOS in order to manage a "small" PKI infrastructure.

Cisco IOS Certification Authority

HTH.

Portu.

vaishalin · ‎10-01-2012

Thanks Karsten.

I will refer those documents regarding Cisco IOS Certification Authority

Vaishali