03-07-2022 05:17 AM
HI,
if i use this command, to encrypt the IPSEC pre-shared key and running with many routers
key config-key password-encryption [master key]
password encryption aes
but if i will add new router which is not support preshard key encryption using aes 6, and need to use standard encryption using "service password encryption" password-7
so the question is,
1-how to do this without interrupted my running Ipsec tunnels ?
2- If i don no password encryption aes , it will affect other ipsec tunnel?
3- Could I have solution to have both encryption running standard and AES-6?
Solved! Go to Solution.
03-07-2022 05:32 AM - edited 03-07-2022 05:34 AM
@Hamada Ahmed You can manually specify a type 6 pre-shared key when configuring the keyring or just use a cleartext password.
CSR(config-ikev2-keyring-peer)#pre-shared-key local ?
0 Specifies an UNENCRYPTED password will follow
6 Specifies an ENCRYPTED password will follow
LINE The UNENCRYPTED (cleartext) user password
hex Key entered in hex string
03-07-2022 05:32 AM - edited 03-07-2022 05:34 AM
@Hamada Ahmed You can manually specify a type 6 pre-shared key when configuring the keyring or just use a cleartext password.
CSR(config-ikev2-keyring-peer)#pre-shared-key local ?
0 Specifies an UNENCRYPTED password will follow
6 Specifies an ENCRYPTED password will follow
LINE The UNENCRYPTED (cleartext) user password
hex Key entered in hex string
03-07-2022 05:38 AM
But if i used the below with clear text, the password will be encrypted using " password encryption aes" or "service password encryption" or will be always clear text?
CSR(config-ikev2-keyring-peer)#pre-shared-key local ?
0 Specifies an UNENCRYPTED password will follow
password encryption aes
03-07-2022 09:14 PM
please perform these actions in a maintenance window. I've discovered some caveats when implementing Type 6 passwords.
1-how to do this without interrupted my running Ipsec tunnels ?
** I don't believe adding a key chain and enabling password encryption aes on the router will interrupt your IPSec tunnels as it is just changing how they are viewed in the running config. The router knows how to use a Type 0 (unencrypted) a Type 7 Vignere , or a Type 6 AES.
2- If i don no password encryption aes , it will affect other ipsec tunnel?
I'm not sure why you would disable Type 6 passwords globally, however yes that may affect the tunnels.
3- Could I have solution to have both encryption running standard and AES-6?
I don't believe so, once you enable Type 6 passwords by issuing password encryption aes, all passwords that can be encrypted will be.
service password encryption enables the router to use Type 7 (weak)
password encryption aes enables the router to use Type 6 (strong)
Please take a look at this config guide that I authored.
https://community.cisco.com/t5/networking-documents/configuring-type-6-passwords-in-ios-xe/ta-p/4438495
Hope this helps
03-08-2022 01:56 AM
I want to have unencrypted key , but it's show error "please unconfigure symmetric key"
03-08-2022 01:46 AM
I received Error when try pre-shared-key local 0
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide