Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Replies 3 replies
  • Subscribers 40 subscribers
  • Views 619 views
  • Users 0 members are here
Options
Suggested

IKEv1 PSK with same Gateways

Quallensaft

Hello @all,

it is known that with IKEv1 on SFOS a new PSK overwrites all others PSKs if the gateways do not differ in the connections. Sadly I can not use IKEv2.

Is it sufficient if just the local ID is different in connections and the remote ID is ANY to save the PSKs individually?
Means empty all remote IDs are accepted or do I have to use a * as remote ID?


Example:

IPSec Connection 1: Local ID -> 192.168.0.1 / Remote ID: *
IPSec Connection 2: Local ID -> 192.168.0.1 / Remote ID: *
IPSec Connection 3: Local ID -> 192.168.0.1 / Remote ID: *

(not possible with different PSKs)

-------------------------------------------------------------------------------

IPSec Connection 1: Local ID -> 192.168.0.1 / Remote ID: *
IPSec Connection 2: Local ID -> 192.168.0.2 / Remote ID: *
IPSec Connection 3: Local ID -> 192.168.0.3 / Remote ID: *

Possible with different PSKs?



Added TAGs
[edited by: Raphael Alganes at 11:19 PM (GMT -7) on 18 Aug 2024]
Parents
  • 0

    No it is not. Only IKEv2 support different PSKs for a wildcard tunnel. 

    You could change to certificates and use them, as certificates are individually. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    I have to use IKEv1 with PSK (otherwise I would not ask). Wildcard tunnel means?

    unique ID <-> wildcard ID
    wildcard ID <-> wildcard ID
    unique ID <-> unique ID (possible with diff. PSK?)

    I have to migrate a UTM setup (no problem on UTM with probing...)

  • +1 in reply to Quallensaft

    Wildcard basically means, if you use * as a Remote Gateway. 

    Identifier are not being used to differente the tunnel in IKEv1. 

    You can only do following:
    Move to certificates, as they are defined to be unique.
    Move to IKEv2, if possible.
    set the IPsec PSKs while tunnel building, as PSKs are only used when building the tunnel (Phase1) and not in Phase2 - Meaning you can change them all the time for each tunnel and not kill the other tunnels - But that means, if all Tunnels go down, other will not work. 
    If the peers are UTM - Move to RED Site to Site instead. 

    UTM had a own mechanism, to probe the PSK, which is not defined by any standards. SFOS followed the RFC standards towards IKEv1 and does not support this own method. 

    __________________________________________________________________________________________________________________

Reply
  • +1 in reply to Quallensaft

    Wildcard basically means, if you use * as a Remote Gateway. 

    Identifier are not being used to differente the tunnel in IKEv1. 

    You can only do following:
    Move to certificates, as they are defined to be unique.
    Move to IKEv2, if possible.
    set the IPsec PSKs while tunnel building, as PSKs are only used when building the tunnel (Phase1) and not in Phase2 - Meaning you can change them all the time for each tunnel and not kill the other tunnels - But that means, if all Tunnels go down, other will not work. 
    If the peers are UTM - Move to RED Site to Site instead. 

    UTM had a own mechanism, to probe the PSK, which is not defined by any standards. SFOS followed the RFC standards towards IKEv1 and does not support this own method. 

    __________________________________________________________________________________________________________________

Children
No Data
Unfiltered HTML