How to create Pre-shared Keys for IPSec

How to create Pre-shared Keys for IPSec

Version 0.1 (02 May 2018)

Prepare Pre-shared Keys

In case Pre-shared Key will be used to authenticate IPSec tunnels, they need to be created on a Nodegrid system before they can be used.

To create a Pre-Shared key on a Nodegrid use the below steps.

  1. SSH to a Nodegrid node
  2. Navigate to the shell
  3. admin@ng-west /]# shell
    
    WARNING: Improper use of shell commands could lead to data loss,
    the deletion of important system files or other unexpected result.
    Please double-check your syntax when typing shell commands.
  4. Run the following command
  5. admin@ng-west:~$ openssl rand -base64 128
    SB1Lhn1Z1GdUj6VKTf5L2V5yAvWCLI2YOdDvIeSbGC3sTnUookxz34ozAtKT9Apu
    59VHKMcAikzBH9Vi0sfdinr/4W6wqOv4a2BgRcGbMXtFakNz4IyfuFmGRzEF9xMb
    G8USf02bRBvYpgM6nbngQkEPDleyLj5epNWS1BHB5PI=

The result of this command will create a valid Pre-Shared key with 128 Byte, which can be used for the IPSec configuration. It needs to be stored in a secrets file. For this store the output of the command in a file in the below format:

  : PSK “”

Example the file /etc/ipsec/ipsec.d/mypsk.secrets contains.

100.0.1.10 100.0.2.11 : PSK "z29p/x/g10cI… … … … RafMGnwTH3Bk="

or

@West @East : PSK "z29p/x/g10cI… … … … RafMGnwTH3Bk="

Note: The Pre-Shared Keys have been shortened in the Examples to improve readability.

The secrets files need to be copied to all IPSec nodes. It is to note that the Pre-Shared key is not a text string as such and care should be taken when key is copied to other systems as these might change the key and make it invalid.

The best method is to copy the secrets file to each node.

Below is an example for a Host to Host configuration
Example /etc/ipsec/ipsec.d/host-to-host-psk.conf

conn host-to-host-psk
     connaddrfamily=ipv4
      auto=start
      authby=secret

      leftid=@West
      left=192.168.50.4
      rightid=@East
      right=192.168.58.4

Example for /etc/ipsec/ipsec.d/host-to-host-psk.secrets

@West @East : PSK "z29p/x/g10cI… … … … RafMGnwTH3Bk="

    • Related Articles

    • How to Configure IPSec Host to Host Tunnel with Pre-Shared Key

      Version 0.1 (02 May 2018) Overview Host to Host configurations allow two nodes to establish a tunnel between them. The encrypted communication will be limited just to the two nodes involved. Figure 11: Host to Host Configuration Example Details Host ...
    • How to configure IPSec Host to Site tunnel with Pre-Shared Key

      Version 0.1 (02 May 2018) Overview Host to Site configurations are very similar to Host to Host configurations, especially the authentication methods are the same. Added changes to the configurations are the values for rightsourceip and rightsubnets. ...
    • How to Configure IPSec Site to Site Tunnel with Pre-Shared Key

      Version 0.1 (02 May 2018) Overview Site to Site Configurations are further extension to host to site configurations. Communication is in this case expanded between multiple subnet on both sites of the connection. Subnet and communication IP addresses ...
    • IPSec VPN support

      Version 0.1 (02 May 2018) Virtual Private Network (VPN) Overview A Virtual Private Network (VPN) is used to provide a secure means of communication among remote computers across networks, such as the Internet or a public WAN in general. VPN creates ...
    • How to Prepare a Nodegrid Node for IPSec

      Version 0.1 (02 May 2018) Overview Nodegrid comes with all the required tools to run and configure IPSec pre-installed, but IPSec is by default not configured and a few preparation steps on every node need to be performed before the first VPN ...