Generate Pre Shared Key Online
Introduction
Generate a static key: openvpn -genkey -secret static.key. Copy the static key to both client and server, over a pre-existing secure channel. Server configuration file dev tun ifconfig 10.8.0.1 10.8.0.2 secret static.key Client configuration file remote myremote.mydomain dev tun ifconfig 10.8.0.2 10.8.0.1 secret static.key Firewall configuration. The WEP/WPA Key Generator supports 64bit, 128bit, 152bit & 256bit WEP keys, and 160bit, 504bit WPA/WPA2 keys for maximum security. Alternatively, if you require to generate a key based on a custom passphrase (most cases), you can use the Custom WEP/WPA Key Generator.
Static key configurations offer the simplest setup, and are ideal for point-to-point VPNs or proof-of-concept testing.
Static Key advantages
- Simple Setup
- No X509 PKI (Public Key Infrastructure) to maintain
Static Key disadvantages
- Limited scalability — one client, one server
- Lack of perfect forward secrecy — key compromise results in total disclosure of previous sessions
- Secret key must exist in plaintext form on each VPN peer
- Secret key must be exchanged using a pre-existing secure channel
Simple Example
This example demonstrates a bare-bones point-to-point OpenVPN configuration. A VPN tunnel will be created with a server endpoint of 10.8.0.1 and a client endpoint of 10.8.0.2. Encrypted communication between client and server will occur over UDP port 1194, the default OpenVPN port.
Generate a static key:
Copy the static key to both client and server, over a pre-existing secure channel.
Server configuration file
Client configuration file
Firewall configuration
Make sure that:
- UDP port 1194 is open on the server, and
- the virtual TUN interface used by OpenVPN is not blocked on either the client or server (on Linux, the TUN interface will probably be called tun0 while on Windows it will probably be called something like Local Area Connection n unless you rename it in the Network Connections control panel).
Bear in mind that 90% of all connection problems encountered by new OpenVPN users are firewall-related.
Testing the VPN
Run OpenVPN using the respective configuration files on both server and client, changing myremote.mydomain Laravel key generate failed to open stream permission denied. in the client configuration to the domain name or public IP address of the server.
To verify that the VPN is running, you should be able to ping 10.8.0.2 from the server and 10.8.0.1 from the client.
Expanding on the Simple Example
Use compression on the VPN link
Add the following line to both client and server configuration files:
Make the link more resistent to connection failures
Deal with:
- keeping a connection through a NAT router/firewall alive, and
- follow the DNS name of the server if it changes its IP address.
Add the following to both client and server configuration files:
Run OpenVPN as a daemon (Linux/BSD/Solaris/MacOSX only)
Run OpenVPN as a daemon and drop privileges to user/group nobody. /microsoft-windows-8-key-generator.html.
Add to configuration file (client and/or server):
Allow client to reach entire server subnet
Suppose the OpenVPN server is on a subnet 192.168.4.0/24. Add the following to client configuration:
Then on the server side, add a route to the server’s LAN gateway that routes 10.8.0.2 to the OpenVPN server machine (only necessary if the OpenVPN server machine is not also the gateway for the server-side LAN). Also, don’t forget to enable IP Forwarding on the OpenVPN server machine.
Contents
Introduction
Cisco IOS® Software Release 12.3(2)T code introduces the functionality that allows the router to encrypt the ISAKMP pre-shared key in secure type 6 format in nonvolatile RAM (NVRAM). The pre-shared key to be encrypted can be configured either as standard, under an ISAKMP key ring, in aggressive mode, or as the group password under an EzVPN server or client setup. This sample configuration details how to set up encryption of both existing and new pre-shared keys.
Prerequisites
Requirements
There are no specific requirements for this document.
Components Used
The information in this document is based on this software version:
Cisco IOS Software Release 12.3(2)T
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Conventions
Refer to the Cisco Technical Tips Conventions for more information on document conventions.
Configure
This section presents you with the information you can use to configure the features this document describes.
Note: Use the Command Lookup Tool (registered customers only) to obtain more information on the commands used in this section.
These two new commands are introduced in order to enable pre-shared key encryption:
Pre Shared Key Generator
key config-key password-encryption [master key]
password encryption aes
The [master key] is the password/key used to encrypt all other keys in the router configuration with the use of an Advance Encryption Standard (AES) symmetric cipher. The master key is not stored in the router configuration and cannot be seen or obtained in any way while connected to the router.
Once configured, the master key is used to encrypt any existing or new keys in the router configuration. If the [master key] is not specified on the command line, the router prompts the user to enter the key and to re-enter it for verification. If a key already exists, the user is prompted to enter the old key first. Keys are not encrypted until you issue the password encryption aes command.
The master key can be changed (although this should not be necessary unless the key has become compromised in some way) by issuing the key config-key.. command again with the new [master-key]. Any existing encrypted keys in the router configuration are re-encrypted with the new key.
Linksys Pre Shared Key
You can delete the master key when you issue the no key config-key... However, this renders all currently configured keys in the router configuration useless (a warning message displays that details this and confirms the master key deletion). Since the master key no longer exists, the type 6 passwords cannot be unencrypted and used by the router.
Note: For security reasons, neither the removal of the master key, nor the removal of the password encryption aes command unencrypts the passwords in the router configuration. Once passwords are encrypted, they are not unencrypted. Existing encrypted keys in the configuration are still able to be unencrypted provided the master key is not removed.
Additionally, in order to see debug-type messages of password encryption functions, use the password logging command in configuration mode.
Configurations
This document uses these configurations on the router:
Encrypt the Existing Pre-shared Key |
---|
Add a New Master Key Interactively |
---|
Modify the Existing Master Key Interactively |
---|
Delete the Master Key |
---|
Verify
There is currently no verification procedure available for this configuration.
Troubleshoot
There is currently no specific troubleshooting information available for this configuration.