< Home

pre-shared-key (IKE user view)

Function

The pre-shared-key command configures the pre-shared key used by IKE users when IKE peers use pre-shared key authentication during IKE negotiation.

The undo pre-shared-key command cancels the configuration.

By default, the pre-shared key used by IKE peers is not configured when IKE peers use pre-shared key authentication during IKE negotiation.

Format

pre-shared-key key

undo pre-shared-key

Parameters

Parameter

Description

Value

key

Specifies the pre-shared key used by IKE users when IKE peers use pre-shared key authentication during IKE negotiation.

The value is a string of case-sensitive characters. A plaintext key contains 1 to 128 characters, and a ciphertext key contains 48 to 188 characters.

NOTE:

If the character string contains a question mark (?), there must be an odd number of double quotation marks (") before this question mark. Otherwise, this question mark is used as a help character. If there are an odd number of double quotation marks (") before a question mark (?) and this character string ends with this question mark, this question mark is used as a help character.

When the character string is enclosed in double quotation marks (" ") and contains spaces or question marks (?), the quotation marks are not considered as a part of the key. For example, if the entered character string is "huawei?123", the key is huawei?123 in fact. The entered character string cannot be ""huawei?123"".

For security purposes, it is recommended that the pre-shared key contains at least 3 types of lowercase letters, uppercase letters, digits, and special characters, and contains at least 6 characters.

Views

IKE user view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

In a point-to-multipoint scenario, the device functions as the VPN gateway of the headquarters, an IPSec policy is created using an IPSec policy template, and the VPN gateway receives IPSec connection setup requests of different branches. When the pre-shared key is used for identity authentication and all branches use the same ID and pre-shared key, there are security risks. That is, if the ID and pre-shared key of one branch leak, the ID and pre-shared key of all branches leak. To prevent this problem, you are advised to run the id-type and pre-shared-key commands in the view of the IKE user in the IKE user table.

An IKE user table records the mapping between remote IDs of IKE peers and pre-shared keys. After an IKE peer references an IKE user table, the device searches for the pre-shared key matching the remote ID of the IKE peer in the IKE user table to complete identity authentication during IKE negotiation. In this manner, branches use different IDs and pre-shared keys.

Precautions

  • After an IKE peer references an IKE user table, the pre-shared key configured by this command takes precedence over the pre-shared key configured by the pre-shared-key (IKE peer view) command.

  • Pre-shared key authentication has been specified in an IKE proposal when IKE peers are configured.

  • Both ends of IKE negotiation must use the same pre-shared key.

Example

# Configure the pre-shared key as Test!123 for IKE users.

<sysname> system-view
[sysname] ike user-table 10
[sysname-ike-user-table-10] user user1
[sysname-ike-user-table-10-user1] pre-shared-key Test!123
Parent Topic: IPSec Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >