09-19-2012 02:39 AM - edited 03-11-2019 04:55 PM
Hi,
Pls help on this,
Have core router VPN MPLS and other router remotely,say site A,B,and c were all working fine,
Router C failed to boot and decide to put other router 1841
the conf files from A,B,C are the same except on LAN and WAN intefaces,crypto isakmp key 6
and routing.
Just configured router C with same template as A and B,still C can't browse internet
What i observe is and where problem might start from router C,i just read it is shared key
crypto isakmp key 6 {suppose to have some key} address 10.14.16.2...core router
where does {suppose to have some key} come from? how to generate this key?
>>>from core router
crypto isakmp key 6 bhehuiuhyeueuroro address 10.14.50.2 ...router C
crypto isakmp key 6 vdjudhdfhfhgfijig address 10.14.21.2 ...router A
crypto isakmp key 6 odbdhuhuhweoeirir address 10.14.13.2 ...router B
>>>from router A configuration
crypto isakmp key 6 cvdhjfirndejdkfkgf address 10.14.16.2
>>>from router B configuration
crypto isakmp key 6 fhsrkritlslasfasb address 10.14.16.2
Cze i see from router A and B the the key string are difference from the core router,
{suppose to have some key} where to get it for router C?
J
Solved! Go to Solution.
09-27-2012 06:09 AM
Hi Malai Joseph,
You have to do like this.... you just do like the below and try it should work with encryption.
no crypto isakmp key 6 trial address 10.14.16.2
no key config-key password-encrypt
the apply like the below.
crypto isakmp key trial address 10.14.16.2
It will give the following warning
Can not encrypt password.
Please configure a configuration-key with 'key config-key'Can not encrypt password.
Please configure a configuration-key with 'key config-key'
Then once again give
key config-key password-encrypt
then check the sh runn and check it will get encrypted.
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t2/feature/guide/gt_epsk.html#wp1027265
Please mark this as answered and rate the helpful posts. So that in future anyone refers the same will get benefit.
By
Karthik
09-29-2012 05:53 AM
HI Joseph,
.
Please do rate for the same & mark this as answered.
By
Karthik
09-19-2012 06:39 AM
Hi Malai Joseph,
Try giving this command in Router C which is new.
We need to enable these commands to make the key 6 type password to work
key config-key password-encrypt
password encryption aes
This will be the master key which will enable the key 6 feature for crypto.
Then try with the password which you have got from the old configs backup that same password.
Hope this will make the things work.
Refer the below document for more information
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801f2336.shtml
Please do rate if the given information helps.
By
Karthik
09-19-2012 07:16 AM
Thx for your answer Karthik,as good start
pls help more on this
key config-key password-encrypt
password encryption aes
1.Do i suppose to type
Then try with the password which you have got from the old configs backup that same password.
2.what passowrd ur talking about?the password to login into a router?no backup for old router pls,do you mean i suppose to configure new router password as password of previous one?
3.crypto isakmp key 6 {suppose to have some key} address 10.14.16.2.....where does
{suppose to have some key} come from pls?or it come automatical as u enter below?
key config-key password-encrypt
password encryption aes
thx
J
09-19-2012 09:27 AM
Hi Malai Joseph,
.Do i suppose to type
Then try with the password which you have got from the old configs backup that same password.
Yes. You can give a password which you like for the master key. This will enable the feature of key type 6 option. But don forget to enable encrytion as aes. In
2.what passowrd ur talking about?the password to login into a router?no backup for old router pls,do you mean i suppose to configure new router password as password of previous one?
Try with the same password which you have taken from old router configs for crypto isakmp key 6
3.crypto isakmp key 6 {suppose to have some key} address 10.14.16.2.....where does
{suppose to have some key} come from pls?or it come automatical as u enter below?
key config-key password-encrypt
password encryption aes
!
nope. mastery key is only for enabling the feature. This will have the key 6 enabled in your router for multiple crypto isakmp key 6.... when you have multiple tunnels configured.
So all you need is just create a master key and aes encryption enabled and give the same key as in router c (faulty one). Or you can give the new key for the same and get that configure the same key in core router as well... else you can give the plain text key @ both the ends and try.
Please do rate if the given information helps.
By
Karthik
09-19-2012 01:18 PM
Ok,kindly note i dont have conf of router c,if would have my life would be very simple lol
So i will go to router C and appl below command as what you see as what will be applied
On router C
key config-key password-encrypt
password encryption aes
crypto isakmp key 6 trial address 10.14.16.2
am i right up there?
On core router
no crypto isakmp key 6 bhehuiuhyeueuroro address 10.14.50.2 //...pointing to router C
crypto isakmp key 6trial address 10.14.50.2
tell me where to make it right by say
on router C to paste this command
and on core router do this
thx once again
J
09-20-2012 08:57 AM
Yes. You can try like that.... your conf looks good now.
If that not works... then try with plain text password @ both the ends... i.e in router c and core router....
Please do rate if the given information helps.
By
Karthik
09-27-2012 12:19 AM
Thanks Karthik,
The router C can now reach router A and can browse the internet,thanks so much
Still one problem exists,on route C
crypto isakmp key 6 trial address 10.14.16.2
I WANT THE WORD trial TO BE ENCRIPTETED
HOW TO DO THAT? PLS,CAUSE ON MAIN ROUTER ITS ENCRIPTED AND I KNOW IT WAS A WORD TRIAL AS SAME AS ON OTHER ROUTER
j
09-27-2012 06:09 AM
Hi Malai Joseph,
You have to do like this.... you just do like the below and try it should work with encryption.
no crypto isakmp key 6 trial address 10.14.16.2
no key config-key password-encrypt
the apply like the below.
crypto isakmp key trial address 10.14.16.2
It will give the following warning
Can not encrypt password.
Please configure a configuration-key with 'key config-key'Can not encrypt password.
Please configure a configuration-key with 'key config-key'
Then once again give
key config-key password-encrypt
then check the sh runn and check it will get encrypted.
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t2/feature/guide/gt_epsk.html#wp1027265
Please mark this as answered and rate the helpful posts. So that in future anyone refers the same will get benefit.
By
Karthik
09-28-2012 04:35 AM
Thx so much,much love
J
09-29-2012 05:53 AM
HI Joseph,
.
Please do rate for the same & mark this as answered.
By
Karthik
04-28-2013 10:12 PM
Hi,
I configured command:
key config-key password-encrypt **********Router(config)#password encryption aes
to encrypt all other keys in the router configuration with the use of an Advance Encryption Standard (AES) symmetric cipher.
I specifically do this for encypting ISAKMP key in router configuration.
I am facing a problem whenever router reboot, after reboot it is not taking encrpted key in encrypted form but considering it as plaintext.
Due to this IPSEC is not working after reboot and throwing an error message "IKE message from x.x.x.x failed its sanity check or is malformed"
Pls let me know the solution to overcome the problem.
like to add one more thing, whenever i reboot the router i need to run key config-key password-encrypt command to establish phase one of IPSEC.
Thanks in advance.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide