Contents
How to Configure IKEv1 With Preshared Keys. The IKE implementation offers algorithms whose keys vary in length. The key length that you choose is determined by site security. In general, longer keys provide more security than shorter keys. In this procedure, you generate keys in ASCII format. These procedures use the system names enigma and partym. Configuring an IKE Policy for Preshared Keys, Example: Configuring an IKE Policy. You can create the connection with IKEv1 protocols by specifying -ConnectionProtocol IKEv1. Update the VPN connection pre-shared key, BGP, and IPsec/IKE policy View and update your pre-shared key. Azure S2S VPN connection uses a pre-shared key (secret) to authenticate between your on-premises VPN device and the Azure VPN gateway.
Introduction
Cisco IOSĀ® Software Release 12.3(2)T code introduces the functionality that allows the router to encrypt the ISAKMP pre-shared key in secure type 6 format in nonvolatile RAM (NVRAM). The pre-shared key to be encrypted can be configured either as standard, under an ISAKMP key ring, in aggressive mode, or as the group password under an EzVPN server or client setup. This sample configuration details how to set up encryption of both existing and new pre-shared keys.
Prerequisites
Requirements
There are no specific requirements for this document.
Components Used
The information in this document is based on this software version:
Cisco IOS Software Release 12.3(2)T
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Conventions
Refer to the Cisco Technical Tips Conventions for more information on document conventions.
Configure
This section presents you with the information you can use to configure the features this document describes.
Note: Use the Command Lookup Tool (registered customers only) to obtain more information on the commands used in this section.
These two new commands are introduced in order to enable pre-shared key encryption:
key config-key password-encryption [master key]
password encryption aes
The [master key] is the password/key used to encrypt all other keys in the router configuration with the use of an Advance Encryption Standard (AES) symmetric cipher. The master key is not stored in the router configuration and cannot be seen or obtained in any way while connected to the router.
Once configured, the master key is used to encrypt any existing or new keys in the router configuration. If the [master key] is not specified on the command line, the router prompts the user to enter the key and to re-enter it for verification. If a key already exists, the user is prompted to enter the old key first. Keys are not encrypted until you issue the password encryption aes command.
The master key can be changed (although this should not be necessary unless the key has become compromised in some way) by issuing the key config-key.. command again with the new [master-key]. Any existing encrypted keys in the router configuration are re-encrypted with the new key.
You can delete the master key when you issue the no key config-key... However, this renders all currently configured keys in the router configuration useless (a warning message displays that details this and confirms the master key deletion). Since the master key no longer exists, the type 6 passwords cannot be unencrypted and used by the router.
Note: For security reasons, neither the removal of the master key, nor the removal of the password encryption aes command unencrypts the passwords in the router configuration. Once passwords are encrypted, they are not unencrypted. Existing encrypted keys in the configuration are still able to be unencrypted provided the master key is not removed.
Additionally, in order to see debug-type messages of password encryption functions, use the password logging command in configuration mode.
Configurations
This document uses these configurations on the router:
| Encrypt the Existing Pre-shared Key |
|---|
| Add a New Master Key Interactively |
|---|
| Modify the Existing Master Key Interactively |
|---|
| Delete the Master Key |
|---|
Verify
There is currently no verification procedure available for this configuration.
Ikev1 Pre-shared-key
Troubleshoot
There is currently no specific troubleshooting information available for this configuration.
Related Information
IFM supplies network engineering services for $NZ180+GST per hour. If you require assistance with designing or engineering a Cisco network - hire us!
Note: This page uses client side Javascript. It does not transmit any information entered to IFM.
You are building a site to site VPN and need to exchange the PSK. However you are not allowed to email it, and TXTing never works as it mangles the PSK. What to do?
This tool uses client side javascript - so no information is ever transmitted - and generates a random PSK in your own web browser that rolls every 24 hours. All it requires is for both parties to have their machine clocks approximately correctly (so both machines calculate the same PSK).
Ipsec Vpn Pre Shared Key Generator
Optionally, to make a more variable key, you can enter two encoding keys, and these keys must be exchanged between both parties. For example, you can make the two keys the public IP address of the two VPN terminators. Or you can use serial numbers, MAC addresses, or you could call each other and exchange two colours, favourite sports teams, etc. Note that whatever one party enters as 'Key 1' the other party must enter as 'Key 1', and whatever one party enters as 'Key 2' the other party must also enter as 'Key 2'.
Daemon tools pro advanced 6.2 key generator. Then the tool will take your two keys, add a unique salt for that 24 hour period, and generate a nasty PSK that no person would ever guess - and that has never been transmitted over any medium, ever.
Ikev2 Pre Shared Key Generator
This page uses Javascript, and alas, your browser does not support it.