Most of the time when I review a Cisco router L2L (aka site-to-site), Easy VPN client and other form of VPN configuration from a customers or friends, the preshared key is not encrypted. I’m not sure if the engineer who configure/deploy knows how to conceal the key or not. This is a huge security hole for the customer as a knowledgeable person who gets the running configuration from anyone and extract the relevant information needed to access the customer private site through the VPN is in peril. Other thing I noticed is that the keys they used for L2L and Easy VPN are same. Consequently, it increases the chance of the penetrator to get access to the private network which deemed to be secure.
In this article it teaches you how to encrypt VPN preshared key on Cisco routers which is a three step procedures. The encryption algorithm used by Cisco is AES, thus it is difficult to decrpyt the key to find out the actual password.
2. configure terminal
3. key config-key password-encryption
4. password encryption aes
VPN preshared keys encryption sample output.Easy VPN Client:
crypto isakmp client configuration group test
key 6 _SgZNJBPLa_CSOO^YdI_aghMg\h
!ISAKMP preshared key
crypto isakmp key 6 EdXgY]O^VXe\dPWSZfZILaFT address 184.108.40.206
!ISAKMP preshared key in ISAKMP Keyrings
crypto keyring testvpn
pre-shared-key address 220.127.116.11 key 6 QB`WcMeZDH`a\J_MUAZXe[bh`bi
For more information about this topic kindly refer to this document.