cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
446
Views
35
Helpful
5
Replies
Hamada Ahmed
Beginner

IPsec preshard key encryption

HI,

 

if i use this command, to encrypt the IPSEC pre-shared key and running with many routers

  • key config-key password-encryption [master key]

  • password encryption aes

but if i will add new router which is not support preshard key encryption using aes 6, and need to use standard encryption using "service password encryption" password-7

so the question is,

1-how to do this without interrupted my running Ipsec tunnels ?

2- If i don no password encryption aes , it will affect other ipsec tunnel?

3- Could I have solution to have both encryption running standard and AES-6?

1 ACCEPTED SOLUTION

Accepted Solutions
Rob Ingram
VIP Expert

@Hamada Ahmed You can manually specify a type 6 pre-shared key when configuring the keyring or just use a cleartext password.

 

CSR(config-ikev2-keyring-peer)#pre-shared-key local ?
0 Specifies an UNENCRYPTED password will follow
6 Specifies an ENCRYPTED password will follow
LINE The UNENCRYPTED (cleartext) user password
hex Key entered in hex string

View solution in original post

5 REPLIES 5
Rob Ingram
VIP Expert

@Hamada Ahmed You can manually specify a type 6 pre-shared key when configuring the keyring or just use a cleartext password.

 

CSR(config-ikev2-keyring-peer)#pre-shared-key local ?
0 Specifies an UNENCRYPTED password will follow
6 Specifies an ENCRYPTED password will follow
LINE The UNENCRYPTED (cleartext) user password
hex Key entered in hex string

But if i used the below with clear text, the password will be encrypted using " password encryption aes" or "service password encryption" or will be always clear text?

 

CSR(config-ikev2-keyring-peer)#pre-shared-key local ?
0 Specifies an UNENCRYPTED password will follow

 

  • password encryption aes

@Hamada Ahmed 

please perform these actions in a maintenance window. I've discovered some caveats when implementing Type 6 passwords.

 

1-how to do this without interrupted my running Ipsec tunnels ?

** I don't believe adding a key chain and enabling password encryption aes on the router will interrupt your IPSec tunnels as it is just changing how they are viewed in the running config. The router knows how to use a Type 0 (unencrypted) a Type 7 Vignere , or a Type 6 AES. 

 

2- If i don no password encryption aes , it will affect other ipsec tunnel?

I'm not sure why you would disable Type 6 passwords globally, however yes that may affect the tunnels.

 

3- Could I have solution to have both encryption running standard and AES-6?

I don't believe so,  once you enable Type 6 passwords by issuing password encryption aes, all passwords that can be encrypted will be.

 

service password encryption enables the router to use Type 7 (weak)

password encryption aes enables the router to use Type 6  (strong)

 

Please take a look at this config guide that I authored.
https://community.cisco.com/t5/networking-documents/configuring-type-6-passwords-in-ios-xe/ta-p/4438495

 

Hope this helps

 

I want to have unencrypted key , but it's show error "please unconfigure symmetric key"

I received Error when try pre-shared-key local 0

Create
Recognize Your Peers
Content for Community-Ad