Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1325
Views
0
Helpful
5
Replies

ISAKMP KEY PASSWORD in clear text

cdrobey
Level 1
Level 1

‎03-23-2005 09:31 AM - edited ‎03-09-2019 10:43 AM

While configuring the VPN features on a 2821, I discovered that my CRYPTO ISAKMP key is not hidden in the config, instead of appearing like this:

crypto isakmp key *********** address 208.98.200.15 255.255.255.128

It appears like this:

crypto isakmp key password123 address 208.98.200.15 255.255.255.128

I have service password-encryption turned on.

I configured the key through SDM, and before the commands are sent to the router it shows asteriks and not the clear text password. But it comes out just the opposites.

Thanks.

Labels:
0 Helpful
5 Replies 5

Richard Burts
Hall of Fame
Hall of Fame

‎03-23-2005 12:11 PM

Clinton

It has been my experience that the ISAKMP keys do show up in the config in clear text, whether or not password encryption is turned on. It is unfortunate that the behavior of SDM and IOS is different.

I also observe that the behavior of IOS does change over time. For a long time the TACACS key was displayed in clear text and in recent versions of IOS it is now among the things protected by password encryption. so perhaps in some future release the ISAKMP keys will also be protected.

HTH

Rick

HTH

Rick
0 Helpful

Tim Glen
Cisco Employee
Cisco Employee
In response to Richard Burts

‎03-23-2005 01:10 PM

This doesnt help any but RADIUS key in earlier ver's of IOS was in cleartext and in newer its encrypted.

Hopefully soon , none of that sensitive info will be in cleartext.

Timo

0 Helpful

mostiguy
Level 6
Level 6
In response to Tim Glen

‎03-24-2005 10:00 AM

Yep, it has changed on the pix side to - IIRC, with a show tech support, it used to be cleartext, and now the only way to see clear text is to write the config to a tftp server, and view it there

0 Helpful

reswaran
Cisco Employee
Cisco Employee

‎03-31-2005 04:16 AM

Hi,

You need to use the VPN Key Encryption Feature to encrypt the VPN keys. It is more secure than the "service passwrod encryption".

In SDM, You can see this feature in the VPN->VPN Components-> VPN key Encryption.

Ravikumar

0 Helpful

to_rac
Level 1
Level 1

‎11-09-2022 06:23 AM

Many years after the original post but 'service password-encryption' will not hide the isakmp key.

Instead, it can be encrypted using a device defined AES key as outlined here: https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/46420-pre-sh-keys-ios-rtr-cfg.html

Essentially with:

#conf t

(config)#key config-key password-encrypt my_aes_key

(config)#password encryption aes

 

crypto isakmp key password123 address 1.2.3.4

Becomes:

crypto isakmp key 6 encrypted_key address 1.2.3.4

 

Note from the above link:

Note: For security reasons, neither the removal of the master key, nor the removal of the password encryption aes command unencrypts the passwords in the router configuration. Once passwords are encrypted, they are not unencrypted. Existing encrypted keys in the configuration are still able to be unencrypted provided the master key is not removed.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents