Contents
Resolution
- Go to Configuration > VPN > General > Tunnel Group.
- Select the tunnel group that applies to the VPN tunnel you want to change the pre-shared key for, and click the Edit button.
- Select the IPSec tab.
- This tab includes the Pre-shared Key field.
- Enter the new pre-shared key.
- Click OK.
- Click Apply.
Can I change pre-shared key?
To change the IKE pre-shared key You can modify the tunnel options for the Site-to-Site VPN connection and specify a new IKE pre-shared key for each tunnel. For more information, see Modifying Site-to-Site VPN tunnel options.
The Pre-Shared Key (sometimes called shared secret) is basically a form of password for your VPN gateway which is set up on your device. The Pre-Shared Key is specific to your gateway and can be found in your device’s configuration guide.
How are pre shared keys used in IPsec tunnels?
The pre-shared key is merely used for authentication, not for encryption! IPsec tunnels rely on the ISAKMP/IKE protocols to exchange the keys for encryption, etc. But before IKE can work, both peers need to authenticate each other (mutual authentication). This is the only part in which the PSKs are used (RFC 2409).
Which is the most common authentication method for IPsec?
Pre-shared keys (PSK) are the most common authentication method for site-to-site IPsec VPN tunnels. So what’s to say about the security of PSKs?
Can a PSK be generated more than once?
Since the PSKs must be configured on each side only once, it should be no problem to write 20-40 letters on the firewall. Thereby, a really complex key can be generated and used for the authentication of the VPN peer.
How to generate a PSK for every VPN tunnel?
Generate a new/different PSK for every VPN tunnel. Use a password/passphrase generator for the creation of the PSK. Generate a long PSK with at least 30 chars, to resist a brute-force attack. (See my article about password complexity .)