03-23-2005 09:31 AM - edited 03-09-2019 10:43 AM
While configuring the VPN features on a 2821, I discovered that my CRYPTO ISAKMP key is not hidden in the config, instead of appearing like this:
crypto isakmp key *********** address 208.98.200.15 255.255.255.128
It appears like this:
crypto isakmp key password123 address 208.98.200.15 255.255.255.128
I have service password-encryption turned on.
I configured the key through SDM, and before the commands are sent to the router it shows asteriks and not the clear text password. But it comes out just the opposites.
Thanks.
03-23-2005 12:11 PM
Clinton
It has been my experience that the ISAKMP keys do show up in the config in clear text, whether or not password encryption is turned on. It is unfortunate that the behavior of SDM and IOS is different.
I also observe that the behavior of IOS does change over time. For a long time the TACACS key was displayed in clear text and in recent versions of IOS it is now among the things protected by password encryption. so perhaps in some future release the ISAKMP keys will also be protected.
HTH
Rick
03-23-2005 01:10 PM
This doesnt help any but RADIUS key in earlier ver's of IOS was in cleartext and in newer its encrypted.
Hopefully soon , none of that sensitive info will be in cleartext.
Timo
03-24-2005 10:00 AM
Yep, it has changed on the pix side to - IIRC, with a show tech support, it used to be cleartext, and now the only way to see clear text is to write the config to a tftp server, and view it there
03-31-2005 04:16 AM
Hi,
You need to use the VPN Key Encryption Feature to encrypt the VPN keys. It is more secure than the "service passwrod encryption".
In SDM, You can see this feature in the VPN->VPN Components-> VPN key Encryption.
Ravikumar
11-09-2022 06:23 AM
Many years after the original post but 'service password-encryption' will not hide the isakmp key.
Instead, it can be encrypted using a device defined AES key as outlined here: https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/46420-pre-sh-keys-ios-rtr-cfg.html
Essentially with:
#conf t
(config)#key config-key password-encrypt my_aes_key
(config)#password encryption aes
crypto isakmp key password123 address 1.2.3.4
Becomes:
crypto isakmp key 6 encrypted_key address 1.2.3.4
Note from the above link:
Note: For security reasons, neither the removal of the master key, nor the removal of the password encryption aes command unencrypts the passwords in the router configuration. Once passwords are encrypted, they are not unencrypted. Existing encrypted keys in the configuration are still able to be unencrypted provided the master key is not removed.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide