×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Site-to-Site Tunnel Pre-Shared Key Security

Unanswered Question
Mar 10th, 2006
User Badges:

Hi everyone,


I have a few questions regarding site-to-site tunnel pre-shared keys.

Our company is in the process of security auditing and changing passwords. The location I am in has 3 tunnels with 3 other locations. I should mention we recently had a network intrusion, due to static route to an unsecured server.


How secure are the pre-shared keys used for the tunnels?

What encryption system do they have?

How easy are they to hack?

Should they be changed on a regular basis (like normal passwords)?


My dilemma is:

A) I like to make the firewalls as secure as possible

B) I do not want to create downtime (which changing shared keys will cause)


I appreciate it if someone could address my questions.


BTW I am somewhat of a beginner, and definitely not a pro!


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

The pre-shared key is stored (encrypted) on the PIX at each end using the same algorithm as the enable password. To hack, a person would need to log into the PIX, find the hash, and then somehow decrypt it. The pre-shared key, even though it is used for establishing a tunnel to another site, is not actually sent during the encryption phase. It is used to create a hash that both sides of the link use in establishing the tunnel and the dynamic key that is used between them.

If you are using static point-to-point sites, you should not need to change your shared key, as any attempt to create a VPN tunnel that does not have the exact IP address of your other side will be dropped without even negotiating the tunnel. Please refer to this link for more information.

http://www.cisco.com/en/US/customer/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a008017278c.html#wp1032898

"Using IKE with PreShare Keys" may help a lot.


Hope this helps.



escamodman Sat, 03/11/2006 - 11:37
User Badges:

When I clicked on the link you provided it asked for a username and password (and it did not accept the one I use for the forum).

What user name password do I need to access it ?


Another question I have:


In the scenario in which ONE of the firewalls goes down and the tunnel is broken (say the firewall is flashed/upgraded), would providing the old key (which is still stored by the firewall that is still running) work ? Would the tunnel be re-established or does the whole site-to-site tunnel have to be recreated from scratch?


Thanks for the reply.


aashish.c Mon, 03/13/2006 - 01:10
User Badges:
  • Bronze, 100 points or more

HI


AFAIK changing IOS should not effect the key. But if u r changing the Flash then you need to reconfigure the key only, provided you have taken a backup of old config.


I would also suggest you to PFS (Perfect Forward Secrecy) in VPN tunnels.


With PFS, every time a new security association is negotiated, a new Diffie-Hellman exchange occurs, which requires additional processing time.


PFS adds another level of security because if one key is ever cracked by an attacker, only the data sent with that key is compromised.



crypto map map-name seq-num set pfs [group1 | group2]


regards

aashish C

Actions

This Discussion