Hi All:
The maximum IPsec PSK length is limited by the max password length of 12 chars.
Can this be extended to 16 or 24 chars?
12 chars is a bit small.
cheers,
john
Hi and welcome to Digi Forum!
Not sure which specific product you are referring to, but TransPort routers should have a PSK max length of 40 chars if SarOS (see: https://www.digi.com/resources/documentation/digidocs/90001019/default.htm#tasks/t_configure_ipsec_tunnels.htm%3FTocPath%3DConfiguring%2520Virtual%2520Private%2520Networking%2520(VPN)%2520|Configure%2520Internet%2520Protocol%2520security%2520(IPsec)%2520|_____2 and: https://www.digi.com/resources/documentation/digidocs/90001019/default.htm#tasks/t_configure_user_security_settings.htm%3FTocPath%3DConfiguring%2520security%2520|Configure%2520user%2520security%2520settings%2520|_____0).
If they are XOS models, they should have a PSK max length of 255 chars (see here:https://www.digi.com/resources/documentation/digidocs/90002282/default.htm#clipages/r_tlr_cli_config_ipsec.htm?Highlight=psk ).
I hope this helps, if you see any issues, please send an email to tech.support@digi.com with all the details of your specific device (IMEI, SN, PN) and description of the issue.
Regards
Anny
Digi Technical Support Team
Hello:
The first link mentions nothing about password length. There are many errors on that page regarding encryption types offered, hash types offered, etc. The page is riddled with errors.
The second link you sent mentions the maximum password length is 14 character. There is not much difference between the last known max of 12 and 14.
I have tried using a test user with the entire lower case alphabet as a password but I’m not sure if it just truncated it of used the whole 26 characters. Also, even if it did use the entire 26, will IKE and IPsec use more than 12 chars?
Does anyone at Digi know these answers?
cheers,
john
Hi All:
Ok, I figured this out myself…
Loaded the latest FW on an only WR21 I have an brought up and IPSec tunnel against a Cisco ISR4431 with the following parameters:
PSK length 32 bytes.
IKE:
AES256
SHA256
Main mode
Phase 1 DH2048
Phase 2 DH2048
IPsec:
AES256
SHA256
PFS DH14.
Works perfectly.
Would be nice if the mistakes in the current reference manual were corrected and the encryption and hash lists updated.
Oiy, there is no such thing as DH group 3. Hint, hint, hint.
Cheers,
john
Hi John,
initially I was not sure about which product you were referring, so I wanted to point you to the IPsec config page (first link) where it is explained that the PSK will be configured as a User password, and the max value of the password is specified in the second link. But, you of course are right, there is an error in the Document. If you see the CLI section you will see the 40 chars limit that is the one I was mentioning, but, above that, the wrong old limit is shown (14). Please note that the correct limit both for username and password is 40 chars and our team is working to update that.
Thanks for checking this and I hope all will work fine now!
For any further queries or issues, please also check our support options: https://www.digi.com/support
Thanks!
Anny