In very early IOS the main passwords that were configured were the line passwords on line console, line aux, and line vty, and the enable password. Cisco added the feature of service password-encryption to protect these passwords.

As the IOS has grown and matured many other passwords have been added. As passwords have been added some of them get added to the list of what is processed by service password-encryption while others still show the password in the clear. Over time more and more passwords get added to the list. I remember for many releases of IOS that the TACACS server key was shown in clear text and in current versions it is protected by password-encryption. I expect that the vpngroup password is likely to have a similar evolution and will at some point be protected by password-encryption. In the mean while I believe that there is no other command that will encrypt that password.

If you want to accelerate the process of getting this password protected by password-encryption you should talk to your Cisco account team (or your reseller or partner if you do not have an account team).

As for the difference between service password-encryption and enable secret, password-encryption was developed to protect the enable password. As I mentioned the encryption used is not especially strong (and was not designed to have strong encryption, it was designed to protect against casual "over the shoulder" observation). Cisco then developed enable secret as an alternative to enable password. The enable secret is always encrypted and uses a strong method (MD5) to protect the password.

HTH

Rick

This encryption uses a Cisco proprietary encryption algorithm which is not very strong.