How to Encrypt Cisco VPN Pre shared Keys

Posted by
Facebooktwitterredditpinterestlinkedintumblr

Most of the time when I review a Cisco router L2L (aka site-to-site), Easy VPN client and other form of VPN configuration from a customers or friends, the preshared key is not encrypted. I’m not sure if the engineer who configure/deploy knows how to conceal the key or not. This is a huge security hole for the customer as a knowledgeable person who gets the running configuration from anyone and extract the relevant information needed to access the customer private site through the VPN is in peril. Other thing I noticed is that the keys they used for L2L and Easy VPN are same. Consequently, it increases the chance of the penetrator to get access to the private network which deemed to be secure.

In this article it teaches you how to encrypt VPN preshared key on Cisco routers which is a three step procedures. The encryption algorithm used by Cisco is AES, thus it is difficult to decrpyt the key to find out the actual password.

Summary Steps:
1. enable
2. configure terminal
3. key config-key password-encryption
4. password encryption aes

VPN preshared keys encryption sample output.

Easy VPN Client:
!
crypto isakmp client configuration group test
 key 6 _SgZNJBPLa_CSOO^YdI_aghMg\h
!

LAN-to-LAN:
!
!ISAKMP preshared key
!
crypto isakmp key 6 EdXgY]O^VXe\dPWSZfZILaFT address 1.1.1.1
!
!ISAKMP preshared key in ISAKMP Keyrings
!
crypto keyring testvpn
  pre-shared-key address 1.1.1.1 key 6 QB`WcMeZDH`a\J_MUAZXe[bh`bi
!

For more information about this topic kindly refer to this document.

4 comments

Leave a Reply

Your email address will not be published. Required fields are marked *

*