isakmp key lenght

In article , Alain Banneux wrote: :Hi, is there a limit on the lenght for the isakmp key (PIX 6.3.4) ?

In practice, the key is not restricted to alphanumeric characters: it can include nearly all the printable ASCII characters. However, some programs such as Cisco's VMS (VPN Management Solution) will reject non-alphanumeric characters.

There is an instance in which the isakmp key will be used as a VPN group key: in that instance, the documented limited is 127 alphanumeric characters.

The number of characters supported by other brands of devices are often -much- lower, sometimes only 24 characters (or perhaps even less.) If you need to form a tunnel to a non-PIX you should double-check the limits on the other side.

:Why how :I make it so long? Is 32 strings enough?

If you took care to use mixed upper and lower case and digits, then 32 alphanumeric characters would be the equivilent of a 190 bit key. For comparison, 3DES is nominally the equivilent of 112 bits (there are some theoretical attacks involving *lots* of pre-computed results and *lots* of storage, that take it down to about 80 bits, but we're talking petabytes of storage, which is beyond the reach of most people.)

Last time I've been deploying a PIX for VPN, I've been surprised to see somebody from a completely unknown site trying to establish a VPN to my peer... He's been trying typical transforms to get to me. Let say he got it right, the next step will be to guess the isakmp key, right? So, having as long as possible, like 32 looks good practice...

Nicolas