How to change PSK-auth-client remote-client identity key from VD CLI : Versa Support

This article explain procedure to modify psk-auth-client remote-client key specifically from Versa Director CLI. This article is mainly to serve as a WA for BUG 95122 - PSK is changing while modifying the psk associated with other random-id. Follow rest of the document to modify the key to original value successfully.

TABLE OF CONTENTS

Validate the issue:
Check and Change key from Versa Director:

Validate the issue:

Firstly validate the issue by checking the present key configured at controller is mismatch with the key shared with customer. To perform this validation, follow below mentioned steps:

1. Check the present key hash:

Check the configured key at Versa Controller against the respective remote-client identity.

Below is the sample CLI to check the key of remote-client identity "SDWAN-Branch@Versa.com".

admin@Controller-1-cli> show configuration orgs org-services Versa ipsec vpn-profile Internet-Controller-1-StagingIpsec psk-auth-clients remote-client SDWAN-Branch@Versa.com
id-type email;
key     AyeQsWmLdIo6lt/gwfSrAKXZqD7sVwgKdt0bAW5YOgPDur2REWw5BMgmXOiCjppVPWAWCPUY3o7t6l1Ufm1GEoXuU33KxriiClz79atrRR0lz6/2zezFI2HY2djYJKwSiXdMfih0VTrMWpZhKFairb1Er3MinVkNOKjB0wraUECMkTm6QZfO1f5n6nJ12KAetap52YhQgAHok2nx97MGOWe9fuJ4JIecC0ZUir2Tl6Lf9KMDRNDcuU2Pw+HIpICU6gDmwtxzJOoOd/jjyxh42ljUX9sHBpVxtJAI2v/NMRNFYm6vdPg6ePU6IZPU/m7CKQEoK2AgH3/DxOgV4YnoTw==;

2. Use ckey_util to decode hash key:

Once the key hash has been found, decode the hash using ckey_util utility.

By running command below, will decode the hash value and show us the key in plain text as illustrated below.

Syntax:

$ sudo /opt/versa/util/ckey_util <<hash>>

Example:

3. Compare the plain text key with the customer shared Welcome Kit.

Make sure the plan text key seen from the ckey_utility output matches with the one shared with customer Welcome Kit.

Customers Welcome Kit can be found by click here

If the decoded plan text key matching with the Welcome kit shared with customer no action to take. In case the decoded plain text key is not matching with the welcome kit, follow rest of this article to modify key from Versa Director CLI.

Note: Do not attempt to change key from VD UI. Changing key from VD UI will hit Bug 95122 - PSK is changing while modifying the psk associated with other random-id.

Check and Change key from Versa Director:

1. To check key at Versa Director CLI:

Incorrect key can be change from Versa Director CLI configuration. By doing the change from VD CLI device context does not required re-sync configuration. If the configuration is changed from Controller CLI, re-sync configuration is required to make the Controller IN-SYNC with VD.

Before making the change, verify the remote-client identity key configuration from Versa Director. Use the following syntax with the correct parameter to get the hash key. This hash value will be same as shown in the Controller at step#1.

Syntax:

Administrator@director-1> show configuration devices device Controller-1 config orgs org-services Versa ipsec vpn-profile Internet-Controller-1-StagingIpsec psk-auth-clients remote-client SDWAN-Branch@Versa.com

Example:

Administrator@director-1> show configuration devices device Controller-1 config orgs org-services Versa ipsec vpn-profile Internet-Controller-1-StagingIpsec psk-auth-clients remote-client SDWAN-Branch@Versa.com
id-type email;
key     AyeQsWmLdIo6lt/gwfSrAKXZqD7sVwgKdt0bAW5YOgPDur2REWw5BMgmXOiCjppVPWAWCPUY3o7t6l1Ufm1GEoXuU33KxriiClz79atrRR0lz6/2zezFI2HY2djYJKwSiXdMfih0VTrMWpZhKFairb1Er3MinVkNOKjB0wraUECMkTm6QZfO1f5n6nJ12KAetap52YhQgAHok2nx97MGOWe9fuJ4JIecC0ZUir2Tl6Lf9KMDRNDcuU2Pw+HIpICU6gDmwtxzJOoOd/jjyxh42ljUX9sHBpVxtJAI2v/NMRNFYm6vdPg6ePU6IZPU/m7CKQEoK2AgH3/DxOgV4YnoTw==;

2. To change key from Versa Director CLI:

Use the configuration command below on Versa Director to check the key correctly according to the welcome kit. 'Commit' the changes on Versa Director CLI will publish publish the configuration at Controller.

Syntax:

Administrator@director-1% set devices device Controller-1 config orgs org-services Versa ipsec vpn-profile Internet-Controller-1-StagingIpsec psk-auth-clients remote-client SDWAN-Branch@Versa.com id-type email key NEWKEY

Example:

Administrator@director-1> configure
Entering configuration mode private

Administrator@director-1% set devices device Controller-1 config orgs org-services Versa ipsec vpn-profile Internet-Controller-1-StagingIpsec psk-auth-clients remote-client SDWAN-Branch@Versa.com id-type email key NEWKEY

Administrator@director-1% show | compare
 devices {
     device Controller-1 {
         config {
             orgs {
                 org-services Versa {
                     ipsec {
                         vpn-profile Internet-Controller-1-StagingIpsec {
                             psk-auth-clients {
                                 remote-client SDWAN-Branch@Versa.com {
-                                    key AyeQsWmLdIo6lt/gwfSrAKXZqD7sVwgKdt0bAW5YOgPDur2REWw5BMgmXOiCjppVPWAWCPUY3o7t6l1Ufm1GEoXuU33KxriiClz79atrRR0lz6/2zezFI2HY2djYJKwSiXdMfih0VTrMWpZhKFairb1Er3MinVkNOKjB0wraUECMkTm6QZfO1f5n6nJ12KAetap52YhQgAHok2nx97MGOWe9fuJ4JIecC0ZUir2Tl6Lf9KMDRNDcuU2Pw+HIpICU6gDmwtxzJOoOd/jjyxh42ljUX9sHBpVxtJAI2v/NMRNFYm6vdPg6ePU6IZPU/m7CKQEoK2AgH3/DxOgV4YnoTw==;
+                                    key NEWKEY;
                                 }
                             }
                         }
                     }
                 }
             }
         }
     }
 }

Administrator@director-1% commit

3. Verify the final configuration:

Finally verify the key at Controller configuration to ensure the change is successfully by matching key with customer welcome kit. Repeat step 1, and 2 as a final validation to check the effect of new key.

--End Of Document--