How to create Pre-shared Keys for IPSec

How to create Pre-shared Keys for IPSec

Version 0.1 (02 May 2018)

Prepare Pre-shared Keys

In case Pre-shared Key will be used to authenticate IPSec tunnels, they need to be created on a Nodegrid system before they can be used.

To create a Pre-Shared key on a Nodegrid use the below steps.

  1. SSH to a Nodegrid node
  2. Navigate to the shell
  3. admin@ng-west /]# shell
    
    WARNING: Improper use of shell commands could lead to data loss,
    the deletion of important system files or other unexpected result.
    Please double-check your syntax when typing shell commands.
  4. Run the following command
  5. admin@ng-west:~$ openssl rand -base64 128
    SB1Lhn1Z1GdUj6VKTf5L2V5yAvWCLI2YOdDvIeSbGC3sTnUookxz34ozAtKT9Apu
    59VHKMcAikzBH9Vi0sfdinr/4W6wqOv4a2BgRcGbMXtFakNz4IyfuFmGRzEF9xMb
    G8USf02bRBvYpgM6nbngQkEPDleyLj5epNWS1BHB5PI=

The result of this command will create a valid Pre-Shared key with 128 Byte, which can be used for the IPSec configuration. It needs to be stored in a secrets file. For this store the output of the command in a file in the below format:

  : PSK “”

Example the file /etc/ipsec/ipsec.d/mypsk.secrets contains.

100.0.1.10 100.0.2.11 : PSK "z29p/x/g10cI… … … … RafMGnwTH3Bk="

or

@West @East : PSK "z29p/x/g10cI… … … … RafMGnwTH3Bk="

Note: The Pre-Shared Keys have been shortened in the Examples to improve readability.

The secrets files need to be copied to all IPSec nodes. It is to note that the Pre-Shared key is not a text string as such and care should be taken when key is copied to other systems as these might change the key and make it invalid.

The best method is to copy the secrets file to each node.

Below is an example for a Host to Host configuration
Example /etc/ipsec/ipsec.d/host-to-host-psk.conf

conn host-to-host-psk
     connaddrfamily=ipv4
      auto=start
      authby=secret

      leftid=@West
      left=192.168.50.4
      rightid=@East
      right=192.168.58.4

Example for /etc/ipsec/ipsec.d/host-to-host-psk.secrets

@West @East : PSK "z29p/x/g10cI… … … … RafMGnwTH3Bk="

    • Related Articles

    • How to Configure IPSec Host to Host Tunnel with Pre-Shared Key

      Version 0.1 (02 May 2018) Overview Host to Host configurations allow two nodes to establish a tunnel between them. The encrypted communication will be limited just to the two nodes involved. Figure 11: Host to Host Configuration Example Details Host ...
    • How to configure IPSec Host to Site tunnel with Pre-Shared Key

      Version 0.1 (02 May 2018) Overview Host to Site configurations are very similar to Host to Host configurations, especially the authentication methods are the same. Added changes to the configurations are the values for rightsourceip and rightsubnets. ...
    • How to Configure IPSec Site to Site Tunnel with Pre-Shared Key

      Version 0.1 (02 May 2018) Overview Site to Site Configurations are further extension to host to site configurations. Communication is in this case expanded between multiple subnet on both sites of the connection. Subnet and communication IP addresses ...
    • IPSec VPN support

      Version 0.1 (02 May 2018) Virtual Private Network (VPN) Overview A Virtual Private Network (VPN) is used to provide a secure means of communication among remote computers across networks, such as the Internet or a public WAN in general. VPN creates ...
    • How to create RSA Keys for IPSec

      Version 0.1 (02 May 2018) Prepare RSA keys In case Raw RSA keys will be used for the IPSec authentication then these keys need to be created before they can be used in the configuration later. Each RSA Key has a private key which needs to be stored ...