SRX Services Gateway
Highlighted
SRX Services Gateway

IPSEC

06.19.17   |  
‎06-19-2017 02:49 AM

would someone please explain what is meant by: preshared key is a key for encryption and decryption ??????????

the standard is pre-shared key is used for authentication not encryption ?Untitled1.png

3 REPLIES
SRX Services Gateway

Re: IPSEC

06.19.17   |  
‎06-19-2017 02:54 AM

The preshared key is used as a seed for the encryption of the data over the IPSEC tunnel and the decryption of that data at the other end.  Without this seed on both sides the data is not readable.

 

The process is outlined in rfc 6617.

 

https://tools.ietf.org/html/rfc6617

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
JNCIA-Junos JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV
JNCDA JNCDS-DC JNCDS-SEC
JNCIS-SP
ACE PanOS 6 ACE PanOS 7
http://puluka.com/home
SRX Services Gateway

Re: IPSEC

06.19.17   |  
‎06-19-2017 03:03 AM

i have read in IETF that SKEYID-A is used as a seed to derive the SKEYID-E key or it has another meaning ??

SRX Services Gateway

Re: IPSEC

06.19.17   |  
‎06-19-2017 02:56 PM

I don't understand your comment so forgive me if this is off track.

 

Section 8 in the rfc outlines the math process for the exchange.

 

the preshared key is exchaged off line and manually added to both gateway nodes.  During the negociation process as outlined the gateways verfify they both have the same value for the preshared key. and complete the tunnel setup process.

 

The reason for this method is to have a value for the encryption that never hits the wire and thus is never able to be seen by a third party.

 

Another alternative for this effect is to install matching certificates on the gateway instead.

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
JNCIA-Junos JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV
JNCDA JNCDS-DC JNCDS-SEC
JNCIS-SP
ACE PanOS 6 ACE PanOS 7
http://puluka.com/home