Tip

This is the documentation for the 20.08 version. Looking for the documentation of the latest version? Have a look here.

IKE Authentication

After verifying the identity, TNSR will attempt to authenticate the peer using the secret from its configuration in one or two round passes. In most common configurations there is only a single authentication round, however in IKEv2 a tunnel may have two rounds of unique authentication.

From within config-ipsec-crypto-ike mode, use the authentication local and authentication remote commands to configure local and remote authentication information. In either case, the authentication command enters config-ike-auth mode.

TNSR will use the parameters under authentication local to authenticate outbound traffic and the authentication remote parameters are used to authenticate inbound traffic.

Note

With pre-shared key mode, most real-world configurations use identical values for both local and remote authentication.

From config-ike-auth mode, the round <n> command configures parameters for round 1 or 2. As mentioned previously, most configurations will only use round 1. The round command then enters config-ike-auth-round mode.

In config-ike-auth-round mode, the following commands are available:

type <name>:

The type of authentication to perform.

Currently the only authentication type supported by TNSR is psk (pre-shared key).

psk <text>:

For psk type authentication, this command defines the pre-shared key value.

IKE Authentication Example

This example only has one single round of authentication, a pre-shared key of mysupersecretkey. Thus, the type is set to psk and then the psk is set to the secret value.

Warning

Do not transmit the pre-shared key over an insecure channel such as plain text e-mail!

First, add the local authentication parameters:

tnsr(config-ipsec-crypto-ike)# authentication local
tnsr(config-ike-auth)# round 1
tnsr(config-ike-auth-round)# type psk
tnsr(config-ike-auth-round)# psk mysupersecretkey
tnsr(config-ike-auth-round)# exit
tnsr(config-ike-auth)# exit

Next, configure the remote authentication parameters. As in most practical uses, this is set identically to the local authentication value.

tnsr(config-ipsec-crypto-ike)# authentication remote
tnsr(config-ike-auth)# round 1
tnsr(config-ike-auth-round)# type psk
tnsr(config-ike-auth-round)# psk mysupersecretkey
tnsr(config-ike-auth-round)# exit
tnsr(config-ike-auth)# exit