Tip
This is the documentation for the 20.02 version. Looking for the documentation of the latest version? Have a look here.
IKE Authentication¶
After verifying the identity, TNSR will attempt to authenticate the peer using
the secret from its configuration in one or two round
passes. In most
common configurations there is only a single authentication round, however in
IKEv2 a tunnel may have two rounds of unique authentication.
From within config-ipsec-crypto-ike
mode, use the authentication local
and authentication remote
commands to configure local and remote
authentication information. In either case, the authentication
command
enters config-ike-auth
mode.
TNSR will use the parameters under authentication local
to authenticate
outbound traffic and the authentication remote
parameters are used to
authenticate inbound traffic.
Note
With pre-shared key mode, most real-world configurations use identical values for both local and remote authentication.
From config-ike-auth
mode, the round <n>
command configures parameters
for round 1
or 2
. As mentioned previously, most configurations will only
use round 1
. The round
command then enters config-ike-auth-round
mode.
In config-ike-auth-round
mode, the following commands are available:
- type <name>:
The type of authentication to perform.
Currently the only authentication type supported by TNSR is
psk
(pre-shared key).- psk <text>:
For
psk
type authentication, this command defines the pre-shared key value.
IKE Authentication Example¶
This example only has one single round of authentication, a pre-shared key of
mysupersecretkey
. Thus, the type
is set to psk
and then the psk
is set to the secret value.
Warning
Do not transmit the pre-shared key over an insecure channel such as plain text e-mail!
First, add the local authentication parameters:
tnsr(config-ipsec-crypto-ike)# authentication local
tnsr(config-ike-auth)# round 1
tnsr(config-ike-auth-round)# type psk
tnsr(config-ike-auth-round)# psk mysupersecretkey
tnsr(config-ike-auth-round)# exit
tnsr(config-ike-auth)# exit
Next, configure the remote authentication parameters. As in most practical uses, this is set identically to the local authentication value.
tnsr(config-ipsec-crypto-ike)# authentication remote
tnsr(config-ike-auth)# round 1
tnsr(config-ike-auth-round)# type psk
tnsr(config-ike-auth-round)# psk mysupersecretkey
tnsr(config-ike-auth-round)# exit
tnsr(config-ike-auth)# exit