cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
736
Views
10
Helpful
4
Replies

Difference between using pre-share key 6 and just pre-share key in IKEv1 IPSEC

CiscoPurpleBelt
Level 6
Level 6

I am trying to understand better between the differences as when using "6" it still show the password in plain text in the run-config.

Also, I understand all the policiy and key traffic is encrypted in phase 1 so would like to understand better when and when not to use the 6 parameter.

1 Accepted Solution

Accepted Solutions

Hi,

 

    "service password-encryption" is a Cisco proprietary cipher algorithm, ends up with a type 7 password and there are plenty of tools which allow you to find the clear-text string from the type7 cipher; but this was by design, it was never intended to be secure, but rather to defend against shoulder-watching attacks; this command affects all passwords configured with the "password" statement: your VTY line and console line password, your username password, your enable password.

    "password encryption aes" defines the algorithm and alongside with "key config-key password-encryption <string>" it will take your ISAKMP preshared keys and encrypt it via AES using the defined string; it shows up as a type 6 password. In order to make the process secure, the defined "string" is not kept in the configuration.

 

Regards,

Cristian Matei.

View solution in original post

4 Replies 4

Hi,

The keys are not encrypted until you enter the command password encryption aes, they will still appear in plaintext in the running configuration until you do. This guide is accurate, I've previously used it.

 

HTH

So you don't really need the "6" if "service password encryption" is configured correct?

As long as "password encryption aes" is configured, you don't need to define "6" when you define the PSK, you can just enter the plaintext PSK and it will convert.

HTH

Hi,

 

    "service password-encryption" is a Cisco proprietary cipher algorithm, ends up with a type 7 password and there are plenty of tools which allow you to find the clear-text string from the type7 cipher; but this was by design, it was never intended to be secure, but rather to defend against shoulder-watching attacks; this command affects all passwords configured with the "password" statement: your VTY line and console line password, your username password, your enable password.

    "password encryption aes" defines the algorithm and alongside with "key config-key password-encryption <string>" it will take your ISAKMP preshared keys and encrypt it via AES using the defined string; it shows up as a type 6 password. In order to make the process secure, the defined "string" is not kept in the configuration.

 

Regards,

Cristian Matei.