After verifying the identity, TNSR will attempt to authenticate the peer using
the secret from its configuration in one or two
round passes. In most
common configurations there is only a single authentication round, however in
IKEv2 a tunnel may have two rounds of unique authentication.
config-ipsec-crypto-ike mode, use the
authentication remote commands to configure local and remote
authentication information. In either case, the
TNSR will use the parameters under
authentication local to authenticate
outbound traffic and the
authentication remote parameters are used to
authenticate inbound traffic.
With pre-shared key mode, most real-world configurations use identical values for both local and remote authentication.
config-ike-auth mode, the
round <n> command configures parameters
2. As mentioned previously, most configurations will only
round 1. The
round command then enters
config-ike-auth-round mode, the following commands are available:
- type <name>
The type of authentication to perform.
Currently the only authentication type supported by TNSR is
- psk <text>
psktype authentication, this command defines the pre-shared key value.
IKE Authentication Example¶
This example only has one single round of authentication, a pre-shared key of
mysupersecretkey. Thus, the
type is set to
psk and then the
is set to the secret value.
Do not transmit the pre-shared key over an insecure channel such as plain text e-mail!
First, add the local authentication parameters:
tnsr(config-ipsec-crypto-ike)# authentication local tnsr(config-ike-auth)# round 1 tnsr(config-ike-auth-round)# type psk tnsr(config-ike-auth-round)# psk mysupersecretkey tnsr(config-ike-auth-round)# exit tnsr(config-ike-auth)# exit
Next, configure the remote authentication parameters. As in most practical uses, this is set identically to the local authentication value.
tnsr(config-ipsec-crypto-ike)# authentication remote tnsr(config-ike-auth)# round 1 tnsr(config-ike-auth-round)# type psk tnsr(config-ike-auth-round)# psk mysupersecretkey tnsr(config-ike-auth-round)# exit tnsr(config-ike-auth)# exit