IPsec Pre-Shared Keys Tab¶
The Pre-Shared Keys tab under VPN > IPsec defines key and identifier pairs which are used for authenticating IPsec tunnels. Primarily this is intended for use with mobile IPsec but there are occasional use cases for site-to-site tunnels as well.
- Identifier
A string used to identify a peer. This is typically a username, a hostname, an E-mail address, or an IP address.
- Secret Type
The type of secret to associate with this identity. It can be one of two types:
- PSK
A traditional pre-shared key for use with most IKEv1 mobile IPsec configurations, site-to-site tunnels, and similar use cases.
- EAP
An EAP key for use with IKEv2 mobile IPsec EAP-MSCHAPv2 authentication.
- Pre-Shared Key
The contents of the key. As with a pre-shared key on an IPsec tunnel, this should be as long and complex as feasible. However, since this may be manually entered by a human in a manner similar to a password it might need to be more user-friendly than the key for a site-to-site tunnel.
Warning
The contents of these passwords must be known to the IPsec daemon and thus they must be stored in plain text (Password Storage Security Policies). If this is not acceptable, consider using RADIUS-based authentication instead.
Additional options are available for EAP type keys:
- Identifier Type
Manually sets the type of the Identifier field to override automatic behavior.
See also
See Phase 1 Proposal (Authentication) for explanations of the different identifier types.
- Virtual Address Pool
A static IP address to assign to this particular peer. Leave blank to assign a random address from the pool defined on the Mobile Clients tab.
Warning
This configuration creates a new pool which must not overlap existing pools. As such, this address must be outside of the pool defined on the Mobile Clients tab and different from any other pool defined on other PSK tab entries.
- DNS Server
A DNS server that the firewall will push to only this peer. Leave blank to use the DNS server value(s) from the Mobile Clients tab.