Tip

This is the documentation for the 24.06 version. Looking for the documentation of the latest version? Have a look here.

IKE Authentication

After verifying the identity, TNSR will attempt to authenticate the peer using the secret from its configuration in one or two round passes. In most common configurations there is only a single authentication round, however in IKEv2 a tunnel may have two rounds of unique authentication.

From within config-ipsec-crypto-ike mode, use the authentication local and authentication remote commands to configure local and remote authentication information. In either case, the authentication command enters config-ike-authentication mode.

TNSR will use the parameters under authentication local to authenticate outbound traffic and the authentication remote parameters are used to authenticate inbound traffic.

Note

With pre-shared key mode, most real-world configurations use identical values for both local and remote authentication.

From config-ike-authentication mode, the round <n> command configures parameters for round 1 or 2. As mentioned previously, most configurations will only use round 1. The round command then enters config-ike-authentication-round mode.

In config-ike-authentication-round mode, one of the following commands can be used to configure the authentication type and parameters:

Note

Only one type of authentication is possible per round. Entering a command for any type of authentication will remove any other existing authentication configuration from the round, leaving only the new value.

psk <text>:

For psk type authentication, this command defines the pre-shared key value.

ca-certificate <ca-name>:

A certificate authority used to setup a trust chain for a remote certificate. The CA must be present in TNSR, either by importing the CA or generating it using the TNSR CLI. See Public Key Infrastructure for details.

Used only in remote authentication. The remote peer sends a certificate and the IPsec daemon uses this CA to determine if the certificate is valid and trusted.

eap-tls-ca-certificate <ca-name>:

A certificate authority used to setup a trust chain for validation of remote certificates supplied by connecting remote access clients using EAP-TLS.

Works the same as ca-certificate but configures the tunnel for EAP-TLS remote access clients instead of site-to-site.

eap-radius:

When set, TNSR considers this a remote access IPsec tunnel which authenticates connecting remote access clients via username and password validated using EAP-RADIUS.

The RADIUS server TNSR uses to authenticate users in this mode is set in IPsec Global Options.

certificate <cert-name>:

A certificate the IPsec daemon will send to the peer for authentication. The certificate must be present in TNSR, either by importing the certificate or generating it using the TNSR CLI. See Public Key Infrastructure for details.

Used only in local authentication. The peer must have a copy of the certificate authority which signed this certificate for validation purposes.

Warning

Though these commands define CA and certificate entries to use with the IPsec daemon, the daemon requires the IKE identities to match fields present in the certificates in order for it to locate the correct entries. In most cases this means using the certificate subject (DN) of each peer, but can also work with Subject Alternative Name (SAN) entries if they are present in the certificate data.

IKE Authentication Example

This example only has one single round of authentication, a pre-shared key of mysupersecretkey. Thus, the type is set to psk and then the psk is set to the secret value.

Warning

Do not transmit the pre-shared key over an insecure channel such as plain text e-mail!

First, add the local authentication parameters:

tnsr(config-ipsec-crypto-ike)# authentication local
tnsr(config-ike-authentication)# round 1
tnsr(config-ike-authentication-round)# psk mysupersecretkey
tnsr(config-ike-authentication-round)# exit
tnsr(config-ike-authentication)# exit

Next, configure the remote authentication parameters. As in most practical uses, this is set identically to the local authentication value.

tnsr(config-ipsec-crypto-ike)# authentication remote
tnsr(config-ike-authentication)# round 1
tnsr(config-ike-authentication-round)# psk mysupersecretkey
tnsr(config-ike-authentication-round)# exit
tnsr(config-ike-authentication)# exit