|
|
This feature module describes the wildcard pre-shared key feature, an enhancement to the Internet Key Exchange Protocol (IKE) feature. It includes information on the benefits of the new feature, supported platforms, related documents, and so forth.
This document includes the following sections:
A wildcard pre-shared key allows a group of remote users with the same level of authentication to share an IKE pre-shared key. The remote peer's pre-shared key must match the local peer's pre-shared key for IKE authentication to occur. The term wildcard means that any remote peer with the pre-shared key can access the local peer, regardless of the remote peer's IP address assignment. The term pre-shared key is a shared secret key exchanged during IKE negotiation.
A wildcard pre-shared key is usually distributed through a secure out-of-band channel. In a remote peer-to-local peer scenario, any remote peer with the IKE pre-shared key configured can establish IKE security associations (SAs) with the local peer.
The wildcard pre-shared key feature is an enhancement to the crypto isakmp key global configuration command. With a wildcard IP address of 0.0.0.0 and pre-shared key authentication method configured on the local router, the local router can authenticate the IKE SA with any remote peer that has a matching wildcard pre-shared key.
Ease of Deployment
Pre-shared keys offer a simple solution for smaller networks. A wildcard pre-shared key uses one IKE pre-shared key for multiple peers.
No Third-Party Authentication Method
Pre-shared keys establish an encrypted tunnel between a remote peer and a local router without involving a certification authority (CA).
VPN Security
Pre-shared keys allow for authentication to take place to secure the connection before an IPSec-protected Virtual Private Network (VPN) tunnel is established between IPSec peers.
The wildcard pre-shared key feature has the following restrictions:
Multiple IPSec Peer Configuration Required
The IKE security association (SA) cannot be established between the IPSec peers until all IPSec peers are configured for the same IKE pre-shared key. An IKE SA is a prerequisite to an IPSec SA.
Protection from Untrusted Parties
Pre-shared key is an IKE authentication method for the Diffie-Hellman key exchange between multiple IPSec peers. If an attacker knows the IKE pre-shared key and can redirect all traffic between the IPSec peers to go through an IKE proxy, the attacker can read and modify the IPSec-protected data without detection. Such an attack is called IP spoofing.
Extended Authentication
For stronger user authentication methods, Cisco recommends configuring the Wildcard Pre-shared Key Enhancement feature with the IKE E xtended Authentication feature (Xauth). Xauth is supported in Cisco IOS Release 12.1(1)T and later releases.
Strong Encryption Limitations
Cisco IOS software images with strong encryption (including, but not limited to, 56-bit data encryption feature sets) are subject to United States government export controls, and have a limited distribution. Images to be installed outside the United States require an export license. Customer orders might be denied or subject to delay due to United States government regulations. Contact your sales representative or distributor for more information, or send e-mail to export@cisco.com.
The Wildcard Pre-Shared Key Enhancement feature module is related to the following existing features:
For information related to the wildcard pre-shared key feature, refer to the following documents:
The wildcard pre-shared key feature is supported on all platforms that support IPSec in Cisco IOS Release 12.1 T.
Standards
No new or modified standards are supported by this feature.
MIBs
No new or modified MIBs are supported by this feature.
For descriptions of supported MIBs and how to use MIBs, see Cisco's MIB web site on CCO at http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml.
RFCs
No new or modified RFCs are supported by this feature.
IPSec Software Image Required
Before configuring the wildcard pre-shared key, you must have an IPSec encryption software image from Cisco IOS Release 12.1(1)T downloaded on to your router. For more information on downloading a software image, see the following publications:
IKE Configuration Required
Before configuring the wildcard pre-shared key feature, you must configure ISAKMP policy and identity using IKE commands.
| Command | Purpose |
|---|---|
Router(config)# crypto isakmp policy priority | Define an IKE policy, and enters ISAKMP policy configuration mode. |
Router(config-isakmp)# hash {sha | md5}
| Specify the hash algorithm within an IKE policy. |
Router(config-isakmp)# authentication {rsa-sig | rsa-encr | pre-share}
| Specify the authentication method within an IKE policy. |
Router(config-isakmp)# exit | Exit ISAKMP policy configuration mode. |
Router(config)# crypto isakmp identity {address | hostname}
| Define the identity the router uses when participating in the IKE protocol. This ISAKMP identity is to be established for each peer on which you specify pre-shared keys. |
For more information on configuring IKE commands, see the following publications:
IPSec Configuration Required
After configuring the wildcard pre-shared key feature, you must define IPSec transform sets, create a static crypto map, create a dynamic crypto map, then apply that dynamic crypto map to the static crypto map on the interface.
| Command | Purpose |
|---|---|
Router(config)# crypto ipsec transform-set transform-set-name transform1 [transform2 [transform3]] | Define a transform set, which is an acceptable combination of security protocols and algorithms, and enters crypto transform configuration mode. |
Router(cfg-crypto-trans)# mode [tunnel | transport] | Specify the mode for the transform set. |
Router(cfg-crypto-trans)# exit | Exit crypto transform configuration mode. |
Router(config)# crypto map map-name seq-num ipsec-isakmp | Create or modifies a static crypto map entry, and enters the crypto map configuration mode. |
Router(config-crypto-map)# match address [access-list-id | name] | Specify an extended access list for a crypto map entry. |
Router(config-crypto-map)# set transform-set transform-set-name1 [transform-set-name2...transform-set-name6] | Specify which transform sets can be used with the static crypto map entry. |
Router(config-crypto-map)# exit | Exit crypto map configuration mode. |
Router(config-crypto-map)# crypto map map-name seq-num ipsec-isakmp dynamic dynamic-map-name | Create or modifies a dynamic crypto map entry, and enters the crypto map configuration mode. |
Router(config-crypto-map)# set transform-set transform-set-name1 [transform-set-name2...transform-set-name6] | Specify which transform sets can be used with the dynamic crypto map entry. |
Router(config-crypto-map)# exit | Exit crypto map configuration mode. |
Router(config)# crypto map map-name | Apply a previously defined crypto map set to an interface and enter the interface configuration mode. |
Router(config-if)# exit | Exit interface configuration mode. |
Router(config)# crypto map map-name local-address interface-id | Specify and name an identifying interface to be used by the crypto map for IPSec traffic. |
For more information on configuring IPSec commands, see the following publications:
Configuring Wildcard Pre-Shared Key Enhancement
The wildcard pre-shared key feature is optional and disabled by default.
The following sections describe wildcard pre-shared key configuration tasks. Each task in the list indicates if it is optional or required:
To configure a wildcard pre-shared key, perform these tasks at each peer in an IKE policy:
 |
Note For information on configuring ISAKMP policy and identity, IPSec transform, static crypto map, and dynamic crypto map, see "Prerequisites." |
To specify a wildcard pre-shared key at a peer, use the following commands in global configuration mode:
| Command | Purpose | ||
|---|---|---|---|
hq_sanjose(config)# crypto isakmp key cisco1234 address 0.0.0.0 | At the local peer, specify the shared key to be used with a particular remote peer and the wildcard IP address, 0.0.0.0. In this example, the shared key is cisco1234. The wildcard IP address is 0.0.0.0. At all remote peers, specify the shared key to be used with the local peer and the wildcard IP address, 0.0.0.0. Use the same shared key and wildcard IP address for all peers.
|
To view information about the wildcard pre-shared key, enter show crypto isakmp policy privileged EXEC command on the local peer. You can view this information after the wildcard pre-shared key feature has been successfully configured on the local peer. To view information about the wildcard pre-shared key on remote peers, perform the same check on remote router(s); the same pre-shared key and wildcard IP address, 0.0.0.0, should be configured on all peers.
hq_sanjose# show crypto isakmp policy ! ! The following is an excerpt from the output of this command. Information that is not
! related to the wildcard pre-shared key feature has been intentionally removed. ! ! The following crypto map has first priority. A hash algorithm, Message Digest 5, has
! been configured for this IKE policy. The group key is specified as "cisco1234". The IP
! address "0.0.0.0" indicates a wildcard pre-shared key. ! crypto isakmp policy 1 hash md5 authentication pre-share crypto isakmp key cisco1234 address 0.0.0.0!
Enter the following debug command in EXEC mode to troubleshoot wildcard pre-shared keys:
| Command | Purpose |
|---|---|
debug crypto isakmp | Display messages about IKE events |
The following example is output from the show running configuration global configuration command at the local peer:
hq_sanjose# show running configuration ! ! The following is an excerpt from the output of this command. Information that is not
! related to a wildcard pre-shared key has been intentionally removed. ! Current configuration: ... ! The following crypto map has first priority. A hash algorithm, Message Digest 5, has
! been configured for this IKE policy. The group key is specified as "cisco1234". The IP
! address "0.0.0.0" indicates a wildcard pre-shared key. ! crypto isakmp policy 1 hash md5 authentication pre-share crypto isakmp key cisco1234 address 0.0.0.0 ! ! The following output shows an IPSec transform set named "vpn-transform". This IPSec
! transform set has been configured for basic encryption with Encapsulating Security
! Protocol Data Encryption Standard, and basic authentication with Encapsulating
! Security Protocol Message Digest 5. ! crypto ipsec transform-set vpn-transform esp-des esp-md5-hmac ! ! The following output shows a dynamic crypto map named "vpn-dynamic". The
! "vpn-transform" IPSec transform set has been applied to this dynamic crypto map. ! crypto dynamic-map vpn-dynamic 1 set transform-set vpn-transform ! ! The following output shows the dynamic map as it applied to the static map. The static
! crypto map is called "vpn-static". This crypto map has been applied to the dynamic
! crypto map and its IPSec transform set. ! crypto map vpn-static 1 ipsec-isakmp dynamic vpn-dynamic ! interface Ethernet0 ip address 209.165.200.254 255.255.255.224 no ip directed-broadcast no ip route-cache no ip mroute-cache no mop enabled crypto map vpn-static ! ... end
This section documents a modified command, the crypto isakmp key global configuration command. All other commands used with this feature are documented in the Cisco IOS Release 12.1 command reference publications.
To configure a wildcard pre-shared authentication key, use the crypto isakmp key global configuration command. You must configure this key whenever you specify a wildcard pre-shared in an IKE policy. Use the no form of this command to delete a wildcard pre-shared authentication key.
crypto isakmp key keystring address 0.0.0.0Syntax Description
keystring | Specify the wildcard pre-shared key. Use any combination of alphanumeric characters between 8 and 128 bytes. This pre-shared key must be identical at all peers. |
address | Use this keyword if the remote peer ISAKMP identity was set with its IP address. |
0.0.0.0 | Specify the wildcard IP address, 0.0.0.0, which indicates that any remote peer configured with the same wildcard pre-shared key may establish IPSec communications with the local peer, regardless of the IP address of the remote peer. |
Defaults
The wildcard pre-shared authentication key is not enabled.
Command Modes
Global configuration
Command History
11.3(3)T This command was introduced in Cisco IOS Release 11.3 T. 12.1(1)T This command was modified to include the 0.0.0.0 keyword in Cisco IOS Release 12.1 T.
Release
Modification
Usage Guidelines
Use this command to configure pre-shared authentication keys with a wildcard IP address. You must perform this command at both the local and all remote peers.
If an IKE policy includes wildcard pre-shared keys as the authentication method, these pre-shared keys must be configured at all peers---otherwise the policy cannot be used (the policy will not be submitted for matching by the IKE process). The first task is accomplished with the crypto isakmp identity command. The crypto isakmp key command is the second task required to configure the pre-shared keys at the peers.
Use the 0.0.0.0 keyword to indicate the remote peer ISAKMP identity will be established using the pre-shared key only. This IP address is considered a wildcard IP address because the remote peer does not need an IP address for authentication.
Examples
The remote peer specifies an ISAKMP identity by address:
crypto isakmp identity 192.168.1.33
The local peer called hq_router also specifies an ISAKMP identity by host name:
crypto isakmp identity hq_sanjose
Now, the pre-shared key must be specified at each peer.
The local peer specifies the pre-shared key and designates the remote peer by the wildcard IP address:
crypto isakmp key cisco1234 address 0.0.0.0
The remote peer specifies the same pre-shared key and designates the local peer by its host name:
crypto isakmp key cisco1234 hostname hg_sanjose.example.com
In this example, a remote peer specifies its ISAKMP identity by address, and the local peer specifies its ISAKMP identity by host name. Depending on the circumstances in your network, both peers could specify their ISAKMP identity by address, or both by host name.
Related Commands
authentication (IKE policy) Specify the authentication method within an IKE policy. crypto isakmp identity Define the identity the router uses when participating in the IKE protocol. ip host Define a static host name-to-address mapping in the host cache. hostname Specify or modify the host name for the network server. ip domain Define a default domain name that the Cisco IOS software uses to complete unqualified host names. ip name-server Specify the address of a name server to use for name and address resolution crypto isakmp policy Define an IKE policy, a set of parameters to be used during IKE negotiation. crypto isakmp identity Define the identity the router uses when participating in the IKE protocol. crypto ipsec transform-set Define a transform set, an acceptable combination of security protocols and algorithms. crypto dynamic-map Create a dynamic crypto map entry and enter the crypto map configuration command mode. set transform-set Specify which transform sets can be used with the crypto map entry. match address Specify an extended access list for a crypto map entry. set peer Specify an IPSec peer in a crypto map entry. crypto map (global configuration) Create or modify a crypto map entry and enter the crypto map configuration mode. crypto map local-address Specify and name an identifying interface to be used by the crypto map for IPSec traffic.
Command
Description
authentication---The method of identifying users, including login and password dialog, challenge and response, messaging support, and, depending on the security protocol you select, encryption. Authentication establishes data integrity and ensures no one tampers with the data in transit. It also provides data origin authentication.
CA---certification authority. A service responsible for managing certificate requests and issuing certificates to participating IPSec network devices. This service is explicitly entrusted by the receiver to validate identities and to create digital certificates. This service provides centralized key management for the participating devices.
certification authority---See CA.
client---A node or software program (front-end device) that requests services from a server.
DH---Diffie-Hellman key exchange. A public key cryptography protocol which allows two parties to establish a shared secret over an insecure communications channel. Diffie-Hellman is used within Internet Key Exchange (IKE) to establish session keys. Diffie-Hellman is a component of Oakley key exchange. Cisco IOS software supports 768-bit and 1024-bit Diffie-Hellman groups.
Diffie-Hellman key exchange---See DH.
extended authentication---See XAUTH.
gateway---A device that performs an application layer conversion from one protocol stack to another.
IKE---Internet Key Exchange. A hybrid protocol that implements Oakley key exchange and Skeme key exchange inside the ISAKMP framework. While IKE can be used with other protocols, its initial implementation is with the IPSec protocol. IKE provides authentication of the IPSec peers, negotiates IPSec keys, and negotiates IPSec security associations.
IKE is used to establish a shared security policy and authenticated keys for services (such as IPSec) that require keys. Before any IPSec traffic can be passed, each router/firewall/host must be able to verify the identity of its peer. This can be done by manually entering pre-shared keys into both hosts or by a CA service.
Internet Key Exchange Protocol---See IKE.
IP Security Protocol---See IPSec.
IP spoofing---An IP spoofing attack occurs when an attacker outside your network pretends to be a trusted user either by using an IP address that is within the range of IP addresses for your network or by using an authorized external IP address that you trust and to which you wish to provide access to specified resources on your network. Should an attacker get access to your IPSec security parameters, that attacker can masquerade as the remote user authorized to connect to the corporate network
IPSec---IP Security Protocol. A framework of open standards that provides data confidentiality, data integrity, and data authentication between participating peers. IPSec provides these security services at the IP layer. IPSec uses IKE to handle negotiation of protocols and algorithms based on local policy and to generate the encryption and authentication keys to be used by IPSec. IPSec can be used to protect one or more data flows between a pair of hosts, between a pair of security gateways, or between a security gateway and a host.
peer---A router or device that participates as an endpoint in IPSec and IKE.
SA---security association. An instance of security policy and keying material applied to a data flow. Both IKE and IPSec use SAs, although SAs are independent of one another. IPSec SAs are unidirectional and they are unique in each security protocol. An IKE SA is used by IKE only, and unlike the IPSec SA, it is bi-directional. IKE negotiates and establishes SAs on behalf of IPSec. A user can also establish IPSec SAs manually.
A set of SAs are needed for a protected data pipe, one per direction per protocol. For example, if you have a pipe that supports ESP between peers, one ESP SA is required for each direction. SAs are uniquely identified by destination (IPSec endpoint) address, security protocol (AH or ESP), and security parameter index (SPI).
security association---See SA.
Virtual Private Network---See VPN.
VPN---Virtual Private Network. Enables IP traffic to travel securely over a public TCP/IP network by encrypting all traffic from one network to another. A VPN uses tunnels to encrypt all information at the IP level.
wildcard---A wildcard is an unknown, unpredictable factor. The wildcard pre-shared key allows for a local router to authenticate remote peers using the pre-shared key, and not using the remote peer's IP address. The IP address of the remote peer is the unknown, unpredictable factor.
Posted: Mon Mar 27 03:22:42 PST 2000
Copyright 1989 - 2000©Cisco Systems Inc.