IPsec preshared key in clear in IOS config

crhodes · ‎03-04-2003

Does anyone know if Cisco have plans to allow the preshared key to be encrypted within the IOS config?

If so, which version of the IOS this feature will be in. Will it be strong encrpytion as per enable secret, or weak encryption as per everywhere else.

gfullage · ‎03-04-2003

This has been talked about extensively, at the moment it's not available until we can actually come up with a good way to do it.

It definately won't be weak encryption since as I'm sure you're aware, there's no point doing it if we go that route. The perception of security is worse than having no security at all.

Unfortunately, if we encrypt the key using a one-way algorithm (type 5, like the enable secret), the router needs to know the unencrypted form of the key, but if we encrypted it with a one-way hash as this type does, there's no way we can get back to it. There's nowhere else to store the key in the router in its plain text form other than in the config. A similar problem arises with us encrypting CHAP passwords, you'll notice we don't do that either. Both CHAP and IKE don't send the password over the network, so each end has to know what the original password is, but as I said, if we store it in the config as the level 5 encrypted version, we then don't know what the original was. Things like the enable secret and PAP passwords rely on the original password being sent over the network, so the router just grabs whatever the user types in, runs the one-way hash over it and compares it to what's stored in the config, if it's the same the router assumes the password is correct.

So, in short, nothing is available at the moment, but it's definately on the agenda. You can off-load the keys to an external AAA server if you don't want to store them on the router, or you can use certificates.