Support Center > Search Results > SecureKnowledge Details
Recommended authentication method in IKE for IPsec VPN Technical Level
Solution

Check Point recommends using PKI for IKE authentication, which means authentication based on certificates. When Check Point gateways are managed by the same management, only PKI can be used for IKE authentication and pre-shared secrets are not allowed.

If pre-shared secret usage is required by the peer gateway when working with externally managed gateways, it is important to pay attention to its strength. Such gateways can be externally managed Check Point or 3rd party gateways. An example of such cases are Cloud vendors' gateways, where the pre-shared secret is chosen by these vendors.

The use of weak pre-shared secrets makes discovering them possible using brute force / dictionary attacks for an active attack. Pre-shared secrets should be strong, and the recommendations are the same as for choosing passwords. Unlike passwords, there is no need to remember a pre-shared secret – so it can be rather long and random.

In SmartConsole, when setting the pre-shared secret, it is recommended that the administrator provide at least 20 characters.

This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment