ISAKMP Auth failing

Unanswered Question
Jul 24th, 2007
User Badges:

I'm having issues getting the preshared key configured on both ends of a tunnel. I can change the key on the host FW but am unable to change the key on the remote FW. It just errors when issuing a command telling me that there's already a key assigned for the IP address requested. How can I change the key on the remote firewall?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
sathishd-aus Wed, 07/25/2007 - 01:14
User Badges:

You are configuring preshared key on PIX/ASA or in router.

Sponge1771 Wed, 07/25/2007 - 06:17
User Badges:

Lan to Lan PIX VPN tunnel. I can change the preshared key on the host PIX, but the remote PIX will not allow me to change the key setting in the config t mode.

Jon Marshall Wed, 07/25/2007 - 10:39
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


Try deleting the existing one first ie.


no isakmp key ******** address "IP address"


and then add your new one.


HTH


Jon

Sponge1771 Wed, 07/25/2007 - 12:55
User Badges:

I don't know the key, but did not try entering *******, will just using asterisks work?

Jon Marshall Mon, 08/06/2007 - 13:56
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


Have you tried this command. Yes using just asterisks should remove the key.


Jon

krishnakomiti Tue, 07/31/2007 - 02:56
User Badges:

Hi,


Use the below command to delete:

"no isakmp key *********** address xxx.xxx.xxx.xxx netmask 255.255.255.255"


Here ***** means your preshared key and XXX.XXX. means your destination IP address you have to use to delete and try add new one.


Ragards,

Krishna.

Sponge1771 Tue, 07/31/2007 - 05:55
User Badges:

The problem is, I took over for some people that left and didn't document well, so I do not know what the preshared key is. Is there a way to either retrieve it or remove that command without setting the device back to defaults and starting from scratch?

grahambartlett Mon, 08/06/2007 - 04:38
User Badges:

Hi Sponge1771


You have a few methods to see the keys... ;-)


1. Copy the running-config to a tftp server (copy runn tftp)


2. Show the running config so you can see the pre-shared keys.


more system:running-config


3. Enable a https server and view this using it.


The choice is yours...


If you find this post helpful please mark it :-)

ciscosom Mon, 08/06/2007 - 12:42
User Badges:

If you are looking for the Pre-shared key issue "sh crypto isakmp key" on the router to see the Key that was set on the ISAKMP .

Sponge1771 Mon, 08/06/2007 - 12:47
User Badges:

That shows the isakmp configuration, but the key is blanked out with *******.

Actions

This Discussion