Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 2 replies
  • Subscribers 1 subscriber
  • Views 600 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Phantom IPsec Entry

ron-astaro@mcleodnet.com
It appears that my software-based ASG (version 7.511) has a hidden IPsec entry configured in its database which can not be managed from the WebAdmin user interface.

This is causing me problems, because the phantom entry is a respond-only PSK type with the key set to 1234.  Since the ASG only allows a single PSK for respond-only mode to be defined on a per-platform basis, I am stuck with this weak key for any PSK-based VPN links that I want to set-up.

I currently have no PSK-based Remote Gateways defined, but I do see PSK definitions in the running IPsec configuration file.

Is there any way to manually clear-out this bogus entry out of the database?

Fragment from /var/sec/chroot-ipsec/etc/ipsec.conf: 

conn S_REF_hrrCgAPQDy_1

        left="***.***.***.***"

        leftprotoport="17/0"

        keyingtries="3"

        esp="3des-md5"

        authby="psk"

        ikelifetime="28800"

        keyexchange="ike"

        rekeymargin="540"

        pfs="no"

        keylife="3600"

        rightid="0.0.0.0"

        rekey="no"

        right="0.0.0.0"

        auto="add"

        leftupdown="/usr/libexec/ipsec/updown strict"

        compress="no"

        rightprotoport="17/%any"

        ike="3des-sha-modp2048"

        type="transport"

        rightsubnetwithin="0.0.0.0/0"


Fragment from /var/sec/chroot-ipsec/etc/ipsec.secrets: 

***.***.***.*** %any : PSK 0sMTIzNA==



***.***.***.*** %any : PSK 0sMTIzNA==


This thread was automatically locked due to age.
  • 0
    Sorry everyone -- after a bit of digging I found my problem.

    I had an entry for Remote Access using L2TP over IPSec, which was configured to use PSK -- that where my hidden definition was coming from.
  • 0
    This is the reason we suggest using DynDNS and "Initiate Connection" instead of relying on "Respond only" - there is a limit of one PSK for all "Respond only" connections, and that includes the one for L2TP over IPsec.

    Best practices suggest changing a PSK (a short, symmetric key), monthly or at least quarterly.  Using Certificates is secure enough to leave in place indefintely, barring special circumstances.  (Asymmetric) RSA keys are practically as secure as certs.

    Cheers - Bob