No tunnel group passwords inside ASA backup

Answered Question
Dec 15th, 2008

Hi Does anyone know why the tunnel group passwords have been removed from the config. See below

tunnel-group TG_RAS ipsec-attributes

pre-shared-key *

This means that if I try to restore the config I am going to have an * as the preshare key password.

Is there a way to have the preshare key shown as encrypted text?

Many thanks

I have this problem too.
0 votes
Correct Answer by Farrukh Haroon about 7 years 11 months ago

They are not removed. This is more of a security feature to evade the 'over the back' peekers :). You can see/recover the password using multiple ways:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00807f2d37.shtml

Regards

Farrukh

Correct Answer by JORGE RODRIGUEZ about 7 years 11 months ago

In addition you can also issue more system to show secret keys in plain text of all Ipsec tunnels preshare keys.

The password has not been removed, as far as I know they do show as * but the actual password is there, when you backup config that information will be backed and copied back to fw when restoring config.

asa#more system:running-config

Regards

Correct Answer by ajagadee about 7 years 11 months ago

Hi,

Do a "write net tftp_server_ip:filename" and then open the filename from the tftp server. It should be in a non-encrypted format. The encryption is caused by the PIX software.

Regards,

Arul

*Pls rate if it helps*

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Correct Answer
ajagadee Mon, 12/15/2008 - 20:07

Hi,

Do a "write net tftp_server_ip:filename" and then open the filename from the tftp server. It should be in a non-encrypted format. The encryption is caused by the PIX software.

Regards,

Arul

*Pls rate if it helps*

Correct Answer
JORGE RODRIGUEZ Mon, 12/15/2008 - 20:57

In addition you can also issue more system to show secret keys in plain text of all Ipsec tunnels preshare keys.

The password has not been removed, as far as I know they do show as * but the actual password is there, when you backup config that information will be backed and copied back to fw when restoring config.

asa#more system:running-config

Regards

Actions

This Discussion