Using Pre-Shared Keys (PSK) -CodeIdol

Using Pre-Shared Keys (PSK)

You don't always have to use RSA type keys. Sometimes the VPN device at the other end of the tunnel won't support them, but will accept a simpler pre-shared key. Here is how to do it:

1.	Create the PSK using one of two methods. You can create a random pre-shared key using the `ipsec` command: [root@vpn2 tmp]# ipsec ranbits --continuous 128 0x33893a081b34d32a362a46c404ca32d8 [root@vpn2 tmp]# Or, you can create them out of your head. Make them long (over 20 bytes), as in: Nonebutourselvescanfreeourminds
2.	Update `/etc/ipsec.secrets` by adding text in this format at the beginning of the file: vpn1-ip-address vpn2-ip-address : PSK "key in quotations" For the example the line is: 97.158.253.25 6.25.232.6 : PSK "nonebutourselvescanfreeourminds"
3.	Update `/etc/ipsec.conf`. The PSK configuration is very similar to the RSA configuration with exception that the `leftid`, `rightid`, `leftrsasigkey`, and `rightrsasigkey` fields are omitted from the relevant `conn` subsection. Also add the `authtype=secret` command to the configuration: conn net-to-net authby=secret left=97.158.253.25 leftsubnet=172.16.1.0/24 leftnexthop=%defaultroute right=6.25.232.1 rightsubnet=10.0.0.0/24 rightnexthop=97.158.253.25 auto=start

Remember to have the same configuration on the Linux VPN boxes on either side of the tunnel and to restart Openswan to activate the new settings.

Sept. 28, 2010, 2:53 p.m.posted by whitehat

Using Pre-Shared Keys (PSK)

Using Pre-Shared Keys (PSK)

Sept. 28, 2010, 2:53 p.m.
posted by whitehat