SRX Services Gateway
Showing results for 
Search instead for 
Do you mean 
Reply
Highlighted
Contributor
Posts: 133
Registered: ‎03-11-2017
0 Kudos
Accepted Solution

IPSEC

would someone please explain what is meant by: preshared key is a key for encryption and decryption ??????????

the standard is pre-shared key is used for authentication not encryption ?Untitled1.png

Distinguished Expert
Posts: 5,028
Registered: ‎03-30-2009

Re: IPSEC

The preshared key is used as a seed for the encryption of the data over the IPSEC tunnel and the decryption of that data at the other end.  Without this seed on both sides the data is not readable.

 

The process is outlined in rfc 6617.

 

https://tools.ietf.org/html/rfc6617

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
JNCIA-Junos JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV
JNCDA JNCDS-DC JNCDS-SEC
JNCIS-SP
ACE PanOS 6 ACE PanOS 7
http://puluka.com/home
Contributor
Posts: 133
Registered: ‎03-11-2017
0 Kudos

Re: IPSEC

i have read in IETF that SKEYID-A is used as a seed to derive the SKEYID-E key or it has another meaning ??

Distinguished Expert
Posts: 5,028
Registered: ‎03-30-2009
0 Kudos

Re: IPSEC

I don't understand your comment so forgive me if this is off track.

 

Section 8 in the rfc outlines the math process for the exchange.

 

the preshared key is exchaged off line and manually added to both gateway nodes.  During the negociation process as outlined the gateways verfify they both have the same value for the preshared key. and complete the tunnel setup process.

 

The reason for this method is to have a value for the encryption that never hits the wire and thus is never able to be seen by a third party.

 

Another alternative for this effect is to install matching certificates on the gateway instead.

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
JNCIA-Junos JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV
JNCDA JNCDS-DC JNCDS-SEC
JNCIS-SP
ACE PanOS 6 ACE PanOS 7
http://puluka.com/home