Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1221
Views
0
Helpful
3
Replies

Site-to-Site Tunnel Pre-Shared Key Security

escamodman
Level 1
Level 1

‎03-10-2006 01:26 PM - edited ‎03-09-2019 02:13 PM

Hi everyone,

I have a few questions regarding site-to-site tunnel pre-shared keys.

Our company is in the process of security auditing and changing passwords. The location I am in has 3 tunnels with 3 other locations. I should mention we recently had a network intrusion, due to static route to an unsecured server.

How secure are the pre-shared keys used for the tunnels?

What encryption system do they have?

How easy are they to hack?

Should they be changed on a regular basis (like normal passwords)?

My dilemma is:

A) I like to make the firewalls as secure as possible

B) I do not want to create downtime (which changing shared keys will cause)

I appreciate it if someone could address my questions.

BTW I am somewhat of a beginner, and definitely not a pro!

Labels:
0 Helpful
3 Replies 3

rsmith
Level 3
Level 3

‎03-10-2006 02:33 PM

The pre-shared key is stored (encrypted) on the PIX at each end using the same algorithm as the enable password. To hack, a person would need to log into the PIX, find the hash, and then somehow decrypt it. The pre-shared key, even though it is used for establishing a tunnel to another site, is not actually sent during the encryption phase. It is used to create a hash that both sides of the link use in establishing the tunnel and the dynamic key that is used between them.

If you are using static point-to-point sites, you should not need to change your shared key, as any attempt to create a VPN tunnel that does not have the exact IP address of your other side will be dropped without even negotiating the tunnel. Please refer to this link for more information.

http://www.cisco.com/en/US/customer/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a008017278c.html#wp1032898

"Using IKE with PreShare Keys" may help a lot.

Hope this helps.

0 Helpful

escamodman
Level 1
Level 1
In response to rsmith

‎03-11-2006 11:37 AM

When I clicked on the link you provided it asked for a username and password (and it did not accept the one I use for the forum).

What user name password do I need to access it ?

Another question I have:

In the scenario in which ONE of the firewalls goes down and the tunnel is broken (say the firewall is flashed/upgraded), would providing the old key (which is still stored by the firewall that is still running) work ? Would the tunnel be re-established or does the whole site-to-site tunnel have to be recreated from scratch?

Thanks for the reply.

0 Helpful

aashish.c
Level 4
Level 4
In response to escamodman

‎03-13-2006 01:10 AM

HI

AFAIK changing IOS should not effect the key. But if u r changing the Flash then you need to reconfigure the key only, provided you have taken a backup of old config.

I would also suggest you to PFS (Perfect Forward Secrecy) in VPN tunnels.

With PFS, every time a new security association is negotiated, a new Diffie-Hellman exchange occurs, which requires additional processing time.

PFS adds another level of security because if one key is ever cracked by an attacker, only the data sent with that key is compromised.

crypto map map-name seq-num set pfs [group1 | group2]

regards

aashish C

0 Helpful
Customers Also Viewed These Support Documents