No tunnel group passwords inside ASA backup

Answered Question
Dec 15th, 2008
User Badges:

Hi Does anyone know why the tunnel group passwords have been removed from the config. See below


tunnel-group TG_RAS ipsec-attributes

pre-shared-key *


This means that if I try to restore the config I am going to have an * as the preshare key password.


Is there a way to have the preshare key shown as encrypted text?


Many thanks

Correct Answer by Farrukh Haroon about 8 years 3 months ago

They are not removed. This is more of a security feature to evade the 'over the back' peekers :). You can see/recover the password using multiple ways:


http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00807f2d37.shtml


Regards


Farrukh

Correct Answer by JORGE RODRIGUEZ about 8 years 3 months ago

In addition you can also issue more system to show secret keys in plain text of all Ipsec tunnels preshare keys.


The password has not been removed, as far as I know they do show as * but the actual password is there, when you backup config that information will be backed and copied back to fw when restoring config.


asa#more system:running-config


Regards


Correct Answer by ajagadee about 8 years 3 months ago

Hi,


Do a "write net tftp_server_ip:filename" and then open the filename from the tftp server. It should be in a non-encrypted format. The encryption is caused by the PIX software.


Regards,

Arul


*Pls rate if it helps*


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Correct Answer
ajagadee Mon, 12/15/2008 - 20:07
User Badges:
  • Cisco Employee,

Hi,


Do a "write net tftp_server_ip:filename" and then open the filename from the tftp server. It should be in a non-encrypted format. The encryption is caused by the PIX software.


Regards,

Arul


*Pls rate if it helps*


Correct Answer
JORGE RODRIGUEZ Mon, 12/15/2008 - 20:57
User Badges:
  • Green, 3000 points or more

In addition you can also issue more system to show secret keys in plain text of all Ipsec tunnels preshare keys.


The password has not been removed, as far as I know they do show as * but the actual password is there, when you backup config that information will be backed and copied back to fw when restoring config.


asa#more system:running-config


Regards


Actions

This Discussion