921| Adding Local Switches AOS-W 6.5.3.x| User Guide
IKEv2 and custom-installed certificates can optionally use Suite-B encryption for IPsec encryption. For details
and requirements for Suite-B encryption, see Suite-B Cryptography on page 430.
Configuring a PSK
Leaving the PSK set to the default value exposes the IPsec channel to serious risk, therefore you should always
configure a unique PSK for each switch pair.
Sharing the same PSK between more than two switches increases the likelihood of compromise. If one switch is
compromised, all switches are compromised. Therefore, best security practices include configuring a unique
PSK for each switch pair
Do not use the default global PSK on a master or stand-alone switch. If you have a multi-switch network then
configure the local switches to match the new IPsec PSK key on the master switch.
Weak keys are susceptible to offline dictionary attacks, meaning that a hostile eavesdropper can capture a few
packets during connection setup and derive the PSK, thus compromising the connection. Therefore the PSK
selection process should be the same process as selecting a strong passphrase:
n the PSK should be at least ten characters in length
n the PSK should not be a dictionary word
n the PSK should combine characters from at least three of the following four groups:
l lowercase characters
l uppercase characters
l numbers
l punctuation or special characters, such as !~‘@#$%^&*()_-+=\|//.[]{}
The following sections describe how to configure a PSK using the WebUI or CLI.
Configuring a Master Switch PSK
Use the procedure below to configures the IP address and preshared key for the master switch.
In the WebUI
To configure a master switch PSK:
1. Navigate to the Configuration > Network > Switch > System Settings page.
2. In the IPSEC Key (IKE PSK) field, enter the IPSec key. Reenter this key in the Retype IPSEC Key (IKE PSK)
field.
3. (Optional) In the FQDN field, enter a fully qualified domain name used in IKE.
4. (Optional) Click the Source IP address field and select the VLAN ID of Vlan interface to initiate IKE. The
switch IP address will be used if the VLAN is not specified.
5. Click Apply.
In the CLI
On the master switch you can configure a specific IPsec PSK for a local switch and use the localip 0.0.0.0 ipsec
<secret_key> command:
You need to change the secret key to a non-default PSK value even if you use a per-local switch PSK configuration.
To configure a master switch PSK:
(host)(config) #localip 0.0.0.0 ipsec <secret_key>
To Next Page
Loading...