Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
703
Views
10
Helpful
4
Replies

Difference between using pre-share key 6 and just pre-share key in IKEv1 IPSEC

Go to solution
CiscoPurpleBelt
Level 6
Level 6

‎02-28-2020 05:30 AM

I am trying to understand better between the differences as when using "6" it still show the password in plain text in the run-config.

Also, I understand all the policiy and key traffic is encrypted in phase 1 so would like to understand better when and when not to use the 6 parameter.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Cristian Matei
VIP Alumni
VIP Alumni
In response to CiscoPurpleBelt

‎03-02-2020 11:41 AM

Hi,

 

    "service password-encryption" is a Cisco proprietary cipher algorithm, ends up with a type 7 password and there are plenty of tools which allow you to find the clear-text string from the type7 cipher; but this was by design, it was never intended to be secure, but rather to defend against shoulder-watching attacks; this command affects all passwords configured with the "password" statement: your VTY line and console line password, your username password, your enable password.

    "password encryption aes" defines the algorithm and alongside with "key config-key password-encryption <string>" it will take your ISAKMP preshared keys and encrypt it via AES using the defined string; it shows up as a type 6 password. In order to make the process secure, the defined "string" is not kept in the configuration.

 

Regards,

Cristian Matei.

View solution in original post

4 Replies 4

Go to solution
Rob Ingram
VIP
VIP

‎02-28-2020 07:48 AM

Hi,

The keys are not encrypted until you enter the command password encryption aes, they will still appear in plaintext in the running configuration until you do. This guide is accurate, I've previously used it.

 

HTH

Go to solution
CiscoPurpleBelt
Level 6
Level 6
In response to Rob Ingram

‎03-02-2020 07:43 AM

So you don't really need the "6" if "service password encryption" is configured correct?
0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to CiscoPurpleBelt

‎03-02-2020 08:08 AM

As long as "password encryption aes" is configured, you don't need to define "6" when you define the PSK, you can just enter the plaintext PSK and it will convert.

HTH
0 Helpful

Go to solution
Cristian Matei
VIP Alumni
VIP Alumni
In response to CiscoPurpleBelt

‎03-02-2020 11:41 AM

Hi,

 

    "service password-encryption" is a Cisco proprietary cipher algorithm, ends up with a type 7 password and there are plenty of tools which allow you to find the clear-text string from the type7 cipher; but this was by design, it was never intended to be secure, but rather to defend against shoulder-watching attacks; this command affects all passwords configured with the "password" statement: your VTY line and console line password, your username password, your enable password.

    "password encryption aes" defines the algorithm and alongside with "key config-key password-encryption <string>" it will take your ISAKMP preshared keys and encrypt it via AES using the defined string; it shows up as a type 6 password. In order to make the process secure, the defined "string" is not kept in the configuration.

 

Regards,

Cristian Matei.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents