Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
813
Views
5
Helpful
9
Replies

How do I encrypt the pre-shared key on Cisco 837 router?

whiteford
Level 1
Level 1

‎07-30-2007 02:15 AM - edited ‎03-03-2019 06:05 PM

Hi, how do encrypt the pre-shared key on a Cisco 837 router?

Labels:
0 Helpful
9 Replies 9

royalblues
Level 10
Level 10

‎07-30-2007 02:20 AM

The preshared key is used to calculate the hash Values as per the parameters set (md5, hmac etc). This hash value is sent to the peer but never the key.

The only way to see the key is to look at the running configuration. The encryptrion does not get compromised on the wire even the key is not encrypted.

HTH

Narayan

0 Helpful

paolo bevilacqua
Hall of Fame
Hall of Fame
In response to royalblues

‎07-30-2007 02:24 AM

Correct, matter is that most people is baffled when seeing any clear text keys in config as we know that terminal and enable passwords can be encrypted.

I'm not concerned, but security buffs are.

0 Helpful

mohammedmahmoud
Level 11
Level 11
In response to royalblues

‎07-30-2007 02:40 AM

Hi,

Totally agree with Narayan, but just to add a small thing, using service-password encryption causes the router to encrypt the passwords (weak reversible encryption) in any display of the configuration file and guards against the password being learned by observing the text copy of the configuration of the router, like for example somebody looking over your shoulders :)

HTH,

Mohammed Mahmoud.

0 Helpful

royalblues
Level 10
Level 10
In response to mohammedmahmoud

‎07-30-2007 02:59 AM

Mohammed,

The pre-shared key used with IPsec is not encrypted with the service password-encryption command on the routers.

All other passwords like vty, console, tacacs do get encrpted though via a weak algorithm (level 7)

The Key is not visible though on the firewall running configuration.

Narayan

0 Helpful

whiteford
Level 1
Level 1
In response to royalblues

‎07-30-2007 03:00 AM

I guess I should just leave it as it is then.

0 Helpful

mohammedmahmoud
Level 11
Level 11
In response to royalblues

‎07-30-2007 03:23 AM

Hi Narayan,

You are right :) i missed the original poster again, please do accept my apologies :)

Any way for the IPSec pre-shared key there was a new feature which i remember i've tested before, please take a look at it:

http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080455ad9.html

HTH,

Mohammed Mahmoud.

royalblues
Level 10
Level 10
In response to mohammedmahmoud

‎07-30-2007 03:34 AM

No apologies needed my friend..

Well i got to know one thing from you now that the AES key can be stored in an encrypted manner :-)

Narayan

0 Helpful

paolo bevilacqua
Hall of Fame
Hall of Fame
In response to mohammedmahmoud

‎07-30-2007 03:55 AM

Good info and reassuring feature for certain situations! I've rated your post.

0 Helpful

mohammedmahmoud
Level 11
Level 11
In response to paolo bevilacqua

‎07-30-2007 04:06 AM

Hi Paolo,

Thank you very much for the appreciation and the nice rating :)

BR,

Mohammed Mahmoud.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card