Dell 6.2 Configuring a P reshared Key

667| Adding Local Controllers DellPowerConnect W- Series ArubaOS 6.2 | User Guide

You can usea preshared key (PSK) or a certificate to create IPSec tunnels between a master and backupmaster Dell

controllersand between master and local Dell controllers.These inter-controller IPSec tunnels carry management

traffic such as mobility, configuration, and master-local information.

NOTE:An inter-controller IPS ec tunnel can be usedto route data between networks attached to theDell controllersif you have

installed PEFV licenses in the Dell controllers. To route traffic, configure a staticroute on each controller specifying the destination

networkand the name of the IPSec tunnel.

Therei sa default PSK to allow inter-controllercommunicatio ns,however, for security you need to configurea

uniquePSK for each controller pair. You can use either the WebUI or CLI to configure a 6-64 character PSK on

master andlocal Dell controllers. To configure a uniquePSK for each controller pair, you must configure themast er

controllerwith t heI P addresso ft helocal and the PSK, and configure the local controllerwith the IP address of the

master and the PSK.

You can configurea globalP SK for all master-localcommunications, although this is not recommended for networks

with more than two Dell controllers. Ont he masterc ontroller,use 0.0.0.0 for the IP address of the local. Ont helocal

controller,configure the IP address of the master and the PSK.

The local controllercan be located behind a NA T device or over the Internet. On the local controller, when you

specify the IP address of the master controller,use the public IP address for the master.

If your master andlocal Dell controllers use a pre-sharedkey for authentication, the IPsec tunnel will be created

using IKEv1. If they use a factory-installed or custom certificate, they will use IKEv2 to create the IPsec tunnel.

Controllersusing IKEv2 and custom-installed certificates can optionally use Suite-B encryption forI Psec encryption.

For details and requirementsfor Suite-B encryption, see "Configuring an SSID for Suite-B Cryptography" on page

329.

Configuring a P reshared Key

Leaving the PSK set to the default valueexposes the IPSec channel to serious risk, therefore you should always

configurea unique PSK for each controllerpair.

Sharingthe same PSK between more than two Dell controllers increases the likelihood of compromise.I f one

controlleris c ompromised,all Dell controllers are compromised. Therefore,best security practices include configuring

a uniqueP SK for each controllerpair

WARNING:Do not use the default global PSK on a master or stand-alone controller. If you have a multi-controller network then

configurethe local Dellcontrollers to match the new IPSec PS K keyon the master controller.

Weakkeys are susceptible to offline dictionary attacks, meaning that a hostile eavesdropper can capture a few

packets duringconnection setup and derive the PSK, thus compromising the connection. Therefore the PSK

selection process shouldbe the same process as selecting a strong passphrase:

lthe PSK should be at least ten characters in length

lthe PSK should not be a dictionary word

lthe PSK shouldco mbinecharacters from at least three of the following four groups:

nlowercase characters

nuppercasecharacters

nnumbers

npunctuation or special characters, such as ~‘@#$%^&*()_-+=\|//.[]{}

The followingsect ions describe how to configure a PSK using the WebUI o r CLI.