Tip

This is the documentation for the 19.02 version. Looking for the documentation of the latest version? Have a look here.

IKE Authentication

After verifying the identity, TNSR will attempt to authenticate the peer using the secret from its configuration in one or two round passes. In most common configurations there is only a single authentication round, however in IKEv2 a tunnel may have two rounds of unique authentication.

tnsr(config-ipsec-crypto-ike)# authentication local
tnsr(config-ike-auth)# round 1
tnsr(config-ike-auth-round)# type psk
tnsr(config-ike-auth-round)# psk mysupersecretkey
tnsr(config-ike-auth-round)# exit
tnsr(config-ike-auth)# exit

The authentication local command defines the parameters used to authenticate outbound traffic. Once entered, that command switches to IKE Authentication mode (ike-auth).

This example only has one single round of authentication, a pre-shared key of mysupersecretkey. Thus, the type is set to psk and then the psk is set to the secret value.

Warning

Do not transmit the pre-shared key over an insecure channel such as plain text e-mail!

Note

Currently the only authentication type supported by TNSR is Pre-Shared Key.

tnsr(config-ipsec-crypto-ike)# authentication remote
tnsr(config-ike-auth)# round 1
tnsr(config-ike-auth-round)# type psk
tnsr(config-ike-auth-round)# psk mysupersecretkey
tnsr(config-ike-auth-round)# exit
tnsr(config-ike-auth)# exit

The remote authentication setup is typically identical to the local, configuration, as it is in this example. This set of parameters is used to authenticate inbound traffic from the peer.