RE: Please save the pre-shared key mode

[Henry Spencer <henry@spsystems.net>]

On Fri, 7 Dec 2001, Michael Choung Shieh wrote:
> How about someone unwrap the myth.  I don't care if it's PK or PSK as long
> as we can set it up as easy as setup PSK in IKE v1.
> Can someone show step-by-step procedure to set up PK?  In a typical
> scenario, the HQ sys admin sets up vpn and sends config to his unknowledged
> remote offic peer to download to remote device.  How do we do it when using
> PK without using PKI?

The HQ sysadmin generates a public/private key pair for the new
host/device, and that is sent to his remote peer as part of the config. 
Remote peer installs config (including key pair).  Communication is
established.  Just like PSK. 

Alternatively, loading the config into the remote system includes
generating a keypair, and the public key is then sent back to the HQ
sysadmin for inclusion in his setup.  Communication is established. 

The second approach is generally preferable, because it avoids ever
transmitting secret information (the private key) between the sysadmins. 
But it does require a bit more savvy on the part of the remote sysadmin,
and an extra sysadmin-to-sysadmin communications hop.  If the remote
sysadmin is really not up to much, and/or the software he is using is
unhelpful, having the HQ sysadmin do the keypair generation may be
preferable. 

                                                          Henry Spencer
                                                       henry@spsystems.net

---

Follow-Ups:

• Re: Please save the pre-shared key mode
• From: "david chen" <ietf_davidchen@hotmail.com>

References:

• RE: Please save the pre-shared key mode
• From: Michael Choung Shieh <mshieh@netscreen.com>

---

• Prev by Date: Re: Please save the pre-shared key mode
• Next by Date: Re: Son-of-IKE Selection Criteria?
• Prev by thread: RE: Please save the pre-shared key mode
• Next by thread: Re: Please save the pre-shared key mode
• Index(es):
  • Main
  • Thread