Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
15829
Views
10
Helpful
10
Replies

crypto isakmp key 6 {suppose to have some key}

Go to solution
malai.joseph
Level 1
Level 1

‎09-19-2012 02:39 AM - edited ‎03-11-2019 04:55 PM

Hi,

Pls help on this,

Have core router VPN MPLS and other router remotely,say site A,B,and c were all working fine,

Router C failed to boot and decide to put other router 1841

the conf files from A,B,C are the same except on LAN and WAN intefaces,crypto isakmp key 6

and routing.

Just configured router C with same template as A and B,still C can't browse internet

What i observe is and where problem might start from router C,i just read it is shared key

crypto isakmp key 6 {suppose to have some key} address 10.14.16.2...core router

where does  {suppose to have some key} come from? how to generate this key?

>>>from core router

crypto isakmp key 6 bhehuiuhyeueuroro address 10.14.50.2  ...router C

crypto isakmp key 6 vdjudhdfhfhgfijig address 10.14.21.2  ...router A

crypto isakmp key 6 odbdhuhuhweoeirir address 10.14.13.2  ...router B

>>>from router A configuration

crypto isakmp key 6 cvdhjfirndejdkfkgf address 10.14.16.2

>>>from router B configuration

crypto isakmp key 6 fhsrkritlslasfasb address 10.14.16.2

Cze i see from router A and B the the key string are difference from the core router,

{suppose to have some key} where to get it for router C?

J

Labels:
2 Accepted Solutions

Accepted Solutions

Go to solution
nkarthikeyan
Level 7
Level 7
In response to malai.joseph

‎09-27-2012 06:09 AM

Hi Malai Joseph,

You have to do like this.... you just do like the below and try it should work with encryption.

no crypto isakmp key 6 trial address 10.14.16.2

no key config-key password-encrypt

the apply like the below.

crypto isakmp key trial address 10.14.16.2

It will give the following warning

Can not encrypt password.

Please configure a configuration-key with 'key config-key'Can not encrypt password.
Please configure a configuration-key with 'key config-key'

Then once again give

key config-key password-encrypt

then check the sh runn and check it will get encrypted.

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t2/feature/guide/gt_epsk.html#wp1027265

Please mark this as answered and rate the helpful posts. So that in future anyone refers the same will get benefit.

By

Karthik

View solution in original post

Go to solution
nkarthikeyan
Level 7
Level 7
In response to malai.joseph

‎09-29-2012 05:53 AM

HI Joseph,

.

Please do rate for the same & mark this as answered.

By

Karthik

View solution in original post

0 Helpful
10 Replies 10

Go to solution
nkarthikeyan
Level 7
Level 7

‎09-19-2012 06:39 AM

Hi Malai Joseph,

Try giving this command in Router C which is new.

We need to enable these commands to make the key 6 type password to work

key config-key password-encrypt

password encryption aes

This will be the master key which will enable the key 6 feature for crypto.

Then try with the password which you have got from the old configs backup that same password.

Hope this will make the things work.

Refer the below document for more information

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801f2336.shtml

Please do rate if the given information helps.

By

Karthik

0 Helpful

Go to solution
malai.joseph
Level 1
Level 1
In response to nkarthikeyan

‎09-19-2012 07:16 AM

Thx for your answer Karthik,as good start

pls help more on this

key config-key password-encrypt

password encryption aes


1.Do i suppose to type or what should be ? in place of <>


Then try with the password which you have got from the old configs backup that same password.

2.what passowrd ur talking about?the password to login into a router?no backup for old router pls,do you mean i suppose to configure new router password as password of previous one?

3.crypto isakmp key 6 {suppose to have some key} address 10.14.16.2.....where does

{suppose to have some key} come from pls?or it come automatical as u enter below?

key config-key password-encrypt

password encryption aes

thx

J

0 Helpful

Go to solution
nkarthikeyan
Level 7
Level 7
In response to malai.joseph

‎09-19-2012 09:27 AM

Hi Malai Joseph,

.Do i suppose to type

or what should be ? in place of <>


Then try with the password which you have got from the old configs backup that same password.

Yes. You can give a password which you like for the master key. This will enable the feature of key type 6 option. But don forget to enable encrytion as aes. In

2.what passowrd ur talking about?the password to login into a router?no backup for old router pls,do you mean i suppose to configure new router password as password of previous one?

Try with the same password which you have taken from old router configs for crypto isakmp key 6

3.crypto isakmp key 6 {suppose to have some key} address 10.14.16.2.....where does

{suppose to have some key} come from pls?or it come automatical as u enter below?

key config-key password-encrypt

password encryption aes

!

nope. mastery key is only for enabling the feature. This will have the key 6 enabled in your router for multiple crypto isakmp key 6.... when you have multiple tunnels configured.

So all you need is just create a master key and aes encryption enabled and give the same key as in router c (faulty one). Or you can give the new key for the same and get that configure the same key in core router as well... else you can give the plain text key @ both the ends and try.

Please do rate if the given information helps.

By

Karthik

0 Helpful

Go to solution
malai.joseph
Level 1
Level 1
In response to nkarthikeyan

‎09-19-2012 01:18 PM

Ok,kindly note i dont have conf of router c,if would have my life would be very simple lol

So i will go to router C and appl below command as what you see as what will be applied

On router C

key config-key password-encrypt

password encryption aes

crypto isakmp key 6 trial address 10.14.16.2

am i right up there?

On core router

no crypto isakmp key 6 bhehuiuhyeueuroro address 10.14.50.2 //...pointing to router C

crypto isakmp key 6trial address 10.14.50.2

tell me where to make it right by say

on router C to paste this command

and on core router do this

thx once again

J

0 Helpful

Go to solution
nkarthikeyan
Level 7
Level 7
In response to malai.joseph

‎09-20-2012 08:57 AM

Yes. You can try like that.... your conf looks good now.

If that not works... then try with plain text password @ both the ends... i.e in router c and core router....

Please do rate if the given information helps.

By

Karthik

0 Helpful

Go to solution
malai.joseph
Level 1
Level 1
In response to nkarthikeyan

‎09-27-2012 12:19 AM

Thanks Karthik,

The router C can now reach router A and can browse the internet,thanks so much

Still one problem exists,on route C

crypto isakmp key 6 trial address 10.14.16.2

I WANT THE WORD trial TO BE ENCRIPTETED

HOW TO DO THAT? PLS,CAUSE ON MAIN ROUTER ITS ENCRIPTED AND I KNOW IT WAS A WORD TRIAL AS SAME AS ON OTHER ROUTER

j

0 Helpful

Go to solution
nkarthikeyan
Level 7
Level 7
In response to malai.joseph

‎09-27-2012 06:09 AM

Hi Malai Joseph,

You have to do like this.... you just do like the below and try it should work with encryption.

no crypto isakmp key 6 trial address 10.14.16.2

no key config-key password-encrypt

the apply like the below.

crypto isakmp key trial address 10.14.16.2

It will give the following warning

Can not encrypt password.

Please configure a configuration-key with 'key config-key'Can not encrypt password.
Please configure a configuration-key with 'key config-key'

Then once again give

key config-key password-encrypt

then check the sh runn and check it will get encrypted.

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t2/feature/guide/gt_epsk.html#wp1027265

Please mark this as answered and rate the helpful posts. So that in future anyone refers the same will get benefit.

By

Karthik

Go to solution
malai.joseph
Level 1
Level 1
In response to nkarthikeyan

‎09-28-2012 04:35 AM

Thx so much,much love

J

0 Helpful

Go to solution
nkarthikeyan
Level 7
Level 7
In response to malai.joseph

‎09-29-2012 05:53 AM

HI Joseph,

.

Please do rate for the same & mark this as answered.

By

Karthik

0 Helpful

Go to solution
mandeepku
Level 1
Level 1
In response to nkarthikeyan

‎04-28-2013 10:12 PM

Hi,

I configured command:

#

key config-key password-encrypt **********Router(config)#password encryption aes

  to  encrypt all other keys in the router configuration       with the use  of an Advance Encryption Standard (AES) symmetric cipher.

I specifically do this for encypting ISAKMP key in router configuration.

I  am facing a problem whenever router reboot, after reboot it is not  taking encrpted key in encrypted form but considering it as plaintext.

Due  to this IPSEC is not working after reboot and throwing an error message  "IKE message from x.x.x.x failed its  sanity check or is malformed"

Pls let me know the solution to overcome the problem.

like  to add one more thing, whenever i reboot the router i need to run key  config-key password-encrypt command to establish phase one of IPSEC.

Thanks in advance.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card