Cisco Cisco Packet Data Interworking Function (PDIF)
Remote Secrets
▀ PSK Support for Remote Secrets
▄ IPSec Reference, StarOS Release 18
148
PSK Support for Remote Secrets
Overview
StarOS CLI commands support the creation of local and remote pre-shared keys (PSKs) associated with crypto maps
and crypto templates. Refer to the descriptions of the crypto map and crypto template commands in the Context
Configuration Mode Commands chapter of the Command Line Interface Reference.
and crypto templates. Refer to the descriptions of the crypto map and crypto template commands in the Context
Configuration Mode Commands chapter of the Command Line Interface Reference.
StarOS also allows the operator to configure a remote secret list that contains PSKs based on remote ID types. The
remote secret list can contain up to 1000 entries; only one remote secret list is supported per system. The remote secret
list bound to a crypto map and/or crypto template.
remote secret list can contain up to 1000 entries; only one remote secret list is supported per system. The remote secret
list bound to a crypto map and/or crypto template.
Each entry in the remote secret list consists of either an alphanumerical string of 1 through 255 characters, or a
hexadecimal string of 16 to 444 bytes.
hexadecimal string of 16 to 444 bytes.
Implementation
The general sequence for implementing the use of a remote PSK is as follows:
The initiator sends an IKE_INIT_REQUEST to the responder.
The responder replies with an IKE_INIT_RESPONSE.
When the IKE_INIT_RESPONSE is received, the Initiator sends an IKE_AUTH_REQUEST to the responder
along with its peer ID.
When the responder receives the IKE_AUTH_REQUEST, it derives the peer ID from the
IKE_AUTH_REQUEST to search the remote secret list for the PSK. If the remote secret list is bound to the
respective map/template, it takes the PSK from the list. Otherwise, it will take the remote PSK from respective
map/template.
respective map/template, it takes the PSK from the list. Otherwise, it will take the remote PSK from respective
map/template.
Supported IKE ID Types
The following IKE ID types are support supported in a remote secret list entry:
ID_IP_ADDR (supports IPv4 and IPv6 address notations)
ID_IPV4_ADDR (IPv4 address in dotted-decimal notation)
ID_FQDN (Fully Qualified Domain Name
ID_RFC822_ADDR (Email address)
ID_IPV6_ADDR (IPv6 address in colon-separated notation)
ID_DER_ASN1_DN (Abstract Syntax Notation One – Distinguished Name)
ID_DER_ASN1_GN (Abstract Syntax Notation One – General Name)
ID_KEY_ID (Opaque byte stream)
Deployment Scenarios
A group of remote clients can be configured to use a separate pre-shared key, even if they are using the same crypto
map or crypto template.
map or crypto template.