Solved: pre-share key showing as clear text in router configuration

jomo frank · ‎09-06-2010

Hello Expert,

I using DMVPN to configure my tunnel between the Hub and spokes.

I discovered my pre-share key are shown in clear text when i do sh run config command.

How can i correct this.

crypto isakmp key xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx address pp.pp.pp.11 (note i just edit the key for the purpose of this post)

Regards

Jomo

Giuseppe Larosa · ‎09-07-2010

Hello Jomo,

what IOS image is running on the hub ?

you can try to use

conf t

service password encryption

warning: but this will encrypt all passwords in configuration

check the syntax as I couldn't verify it.

Hope to help

Giuseppe

View solution in original post

Jon Marshall · ‎09-06-2010

rbglusers wrote:

Hello Expert,

I using DMVPN to configure my tunnel between the Hub and spokes.

I discovered my pre-share key are shown in clear text when i do sh run config command.

How can i correct this.

crypto isakmp key xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx address pp.pp.pp.11 (note i just edit the key for the purpose of this post)

Regards

Jomo

See this document to answer your query -

Encrypt pre-shared keys in IOS

Jon

jomo frank · ‎09-07-2010

hello jon,

I read the document as per link and i am able to encrypt the pre-share key on the spoke but not on the hub,

When I add a new pre-share for the any spoke end point it is showing the clear text

A quick outline i have a hub router connect to around 7 spoke

I am using dmvpn to configure the vpn tunnels

as part of the ike policy i am adding unique pre-share key per spoke,as oppose to a single pre-share key for all.

I found only when i configure the 0.0.0.0 network i am able to get the encryption as showing below:-

IKE PRE-SHARE KEY CONFIGURATION ON THE HUB

-------------------------------------------------------------------------------------------------

crypto isakmp key thisatestkeyconfigurationnumber2 address ppp.xxx.rrr.2

crypto isakmp key thisatestkeyconfigurationnumber1 address eee.sss.www.17

crypto isakmp key #Zjq>eaRc2[KAsgj:`U7oBP\+o.qiZ-@ address 0.0.0.0 0.0.0.0

I am unsure how to move forward.

Regards

Giuseppe Larosa · ‎09-07-2010

Hello Jomo,

what IOS image is running on the hub ?

you can try to use

conf t

service password encryption

warning: but this will encrypt all passwords in configuration

check the syntax as I couldn't verify it.

Hope to help

Giuseppe

jomo frank · ‎09-08-2010

hello Giustar,

VERSION

This is the show version output of the router: show version

!----------------------------------------------------------------------------

Cisco IOS Software, 2800 Software (C2800NM-ADVSECURITYK9-M), Version 12.4(3i), RELEASE SOFTWARE (fc2)

Technical Support: http://www.cisco.com/techsupport

Compiled Wed 28-Nov-07 21:10 by stshen

ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)

uptime is 7 weeks, 3 days, 15 hours, 6 minutes

System returned to ROM by power-on

System image file is "flash:c2800nm-advsecurityk9-mz.124-3i.bin"

>>>> you can try to use

conf t

service password encryption

This command is alredy on the router see subset of my running configuration below

router07#sh run
Building configuration...

Current configuration : 6769 bytes
!
version 12.4
no service pad
service tcp-keepalives-in
service tcp-keepalives-out
service timestamps debug datetime msec localtime show-timezone
service timestamps log datetime msec localtime show-timezone
service password-encryption
service sequence-numbers
!

Regards

Jomo