Using Preshared Keys

Preshared keys function as a type of password which authenticates each side of a communications channel during IKE negotiation. The actual preshared key (an ASCII text string) is not sent over the wire but a hash of it is used instead. Once the IKE parameters are successfully negotiated, regular secure communications can proceed. While this authentication method is simple to set up, it typically does not scale well.

Certain SunScreen features like remote administration require the use of certificates. So, you cannot use a Windows 2000 system to remotely administer a Screen using preshared keys.

Configuring the Screen to Use Preshared Keys

This sections describes how you set up SunScreen to use IKE preshared Keys.

Set Up the Screen

1. Select and edit the appropriate policy.

2. Define an IPsec Key Common Object.

   ---

   Note -

   This is an optional step as you can also enter a preshared key directly into a field on the Rule Definition Action Details window.

   ---

   In the Common Object panel select IPsec Key and New; the IPsec Key dialog appears (see Figure 9-2).

   Figure 9-2 IPsec Key Dialog Window

   
   

3. Fill in the required fields

   Provide a Name and Description for the object as well as selecting the desired key size from the Key Size list. If you were using a preshared key generated by another system, you could type the key into the Key field. If you were using SunScreen to generate the key, you would click the Generate New Key button. The key does not have to be numeric, so you could for instance use a phrase.

4. Define the required Address objects.

   In this example, you would define HOST type Address objects for the following systems: bos-host5, sf-w2kremote, and sf-w2k1.

5. Create a Packet Filtering rule that allows encrypted communication between the systems using the IKE preshared key.

   In this example, telnet is the required service but it could be any service. The way you define the rule is similar to other IKE encryption rules except that the Authentication Method is PRE-SHARED (for more details on defining Packet Filtering IKE rules, see "Create Packet Filtering Rules with the ENCRYPT action".) See Figure 9-3 for an example of what the Rule Definition and Action Details windows would look like.

   Figure 9-3 Rule Definition Windows for PreShared Key

   
   

   ---

   Note -

   The Oakley Group field on the Screen and the DH Group field on the Windows 2000 system must use the same value.

   ---

6. Click the Options tab and select the IKE mode.

   Your choices are Tunnel or Transport mode. Tunnel mode encapsulates and encrypts the entire packet including the IP header for maximum security. Transport mode encapsulates and encrypts only the data portion of the IP packet resulting in smaller packets and potentially better throughput as the Screen is relieved of the overhead of decrypting the IP header. SunScreen and Windows 2000 both support IKE Transport and Tunnel modes.

   If you choose Tunnel mode, you can supply the Source and Destination Tunnel addresses. You can also supply Source and Destination Screens. If you choose Transport mode, you can only specify Source and Destination Screens.

   If the Source Address is the Screen, specify the Screen object in the Source Screen field. If the Destination Address is the Screen, specify the Screen object in the Destination Screen field.

7. Save and activate the policy.

Configuring the Windows 2000 System to Use Preshared Keys

See the Windows 2000 online help for specific instructions on how to create a Security Policy with an IKE filter that uses preshared keys. You can also refer to the Microsoft White Paper How to Configure IPSec Tunneling in Windows 2000 which is available from their web site.

When you create the Security Policy, make sure all the IKE parameters on the Windows system match the IKE parameters on the Screen, including:

• ESP and/or AH

• Encryption Algorithm

• Hash Algorithm

• Authentication Method

Make sure he the DH Group value is the same as the Oakley Group value on the Screen. Lastly, use the same preshared key as the key used on the Screen.

Windows 2000 uses an ACSII character string to specify the preshared key. SunScreen uses an ASCII hexidecimal string for the same purpose. For example, if you specified the preshared key as ABC on the Windows 2000 system, you would specify the same key as 414243 on the SunScreen system.