I have a few questions regarding site-to-site tunnel pre-shared keys.
Our company is in the process of security auditing and changing passwords. The location I am in has 3 tunnels with 3 other locations. I should mention we recently had a network intrusion, due to static route to an unsecured server.
How secure are the pre-shared keys used for the tunnels?
What encryption system do they have?
How easy are they to hack?
Should they be changed on a regular basis (like normal passwords)?
My dilemma is:
A) I like to make the firewalls as secure as possible
B) I do not want to create downtime (which changing shared keys will cause)
I appreciate it if someone could address my questions.
BTW I am somewhat of a beginner, and definitely not a pro!
The pre-shared key is stored (encrypted) on the PIX at each end using the same algorithm as the enable password. To hack, a person would need to log into the PIX, find the hash, and then somehow decrypt it. The pre-shared key, even though it is used for establishing a tunnel to another site, is not actually sent during the encryption phase. It is used to create a hash that both sides of the link use in establishing the tunnel and the dynamic key that is used between them.
If you are using static point-to-point sites, you should not need to change your shared key, as any attempt to create a VPN tunnel that does not have the exact IP address of your other side will be dropped without even negotiating the tunnel. Please refer to this link for more information.
When I clicked on the link you provided it asked for a username and password (and it did not accept the one I use for the forum).
What user name password do I need to access it ?
Another question I have:
In the scenario in which ONE of the firewalls goes down and the tunnel is broken (say the firewall is flashed/upgraded), would providing the old key (which is still stored by the firewall that is still running) work ? Would the tunnel be re-established or does the whole site-to-site tunnel have to be recreated from scratch?
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...