-
Cisco IOS Security Configuration Guide: Secure Connectivity, Release 12.4T
-
Overview: Secure Connectivity
-
Internet Key Exchange for IPsec VPNs
-
Configuring Internet Key Exchange for IPsec VPNs
-
Call Admission Control for IKE
-
Certificate to ISAKMP Profile Mapping
-
Encrypted Preshared Key
-
Fragmentation of IKE Packets
-
IKE Responder-Only Mode
-
Distinguished Name Based Crypto Maps
-
IPsec and Quality of Service
-
VRF-Aware IPsec
-
IKE: Initiate Aggressive Mode (12.2(8)T FM)
-
-
Security for VPNs with IPsec
-
Configuring Security for VPNs with IPsec
-
IPsec Virtual Tunnel Interface
-
L2TP—IPsec Support for NAT and PAT Windows Clients
-
SafeNet IPsec VPN Client Support
-
Ability to Disable Extended Authentication for Static IPsec Peers
-
Sharing IPsec with Tunnel Protection
-
Crypto Conditional Debug Support
-
VPN Acceleration Module (VAM)
-
Option to Disable Hardware Crypto Engine Failover to Software Crypto Engine
-
- VPN Availability
-
IPsec Data Plane
-
IPsec Anti-Replay Window: Expanding and Disabling
-
Pre-Fragmentation for IPsec VPNs
-
Invalid Security Parameter Index Recovery
-
IPsec Dead Peer Detection Periodic Message Option
-
IPsec NAT Transparency
-
DF Bit Override Functionality with IPsec Tunnels
-
Crypto Access Check on Clear-Text Packets
-
IPsec Security Association Idle Timers
-
Low Latency Queueing (LLQ) for IPsec Encryption Engines
-
- IPsec Management Plane
-
Public Key Infrastructure (PKI)
-
Implementing and Managing PKI Features Roadmap
-
Cisco IOS PKI Overview: Understanding and Planning a PKI
-
Deploying RSA Keys Within a PKI
-
Configuring Authorization and Revocation of Certificates in a PKI
-
Configuring Certificate Enrollment for a PKI
-
Setting Up Secure Device Provisioning (SDP) for Enrollment in a PKI
-
Configuring and Managing a Cisco IOS Certificate Server for PKI Deployment
-
Storing PKI Credentials
-
Source Interface Selection for Outgoing Traffic with Certificate Authority (CA)
-
- Dynamic Multipoint VPN (DMVPN)
- Easy VPN
-
Cisco Group Encrypted Transport VPN
- SSL VPN
-
Table Of Contents
Restrictions for Encrypted Preshared Key
Information About Encrypted Preshared Key
Using the Encrypted Preshared Key Feature to Securely Store Passwords
Unconfiguring Password Encryption
Configuring New or Unknown Passwords
Enabling the Encrypted Preshared Key
How to Configure an Encrypted Preshared Key
Configuring an Encrypted Preshared Key
Monitoring Encrypted Preshared Keys
Configuring an ISAKMP Preshared Key
Configuring an ISAKMP Preshared Key in ISAKMP Keyrings
Configuring ISAKMP Aggressive Mode
Configuring a Unity Server Group Policy
Configuring an Easy VPN Client
Configuration Examples for Encrypted Preshared Key
Encrypted Preshared Key: Example
No Previous Key Present: Example
Key Already Exists But the User Wants to Key In Interactively: Example
No Key Present But the User Wants to Key In Interactively: Example
Removal of the Password Encryption: Example
Encrypted Preshared Key
The Encrypted Preshared Key feature allows you to securely store plain text passwords in type 6 (encrypted) format in NVRAM.
Feature History for Encrypted Preshared Key
12.3(2)T
This feature was introduced.
Cisco IOS XE Release 2.1
This feature was introduced on Cisco ASR 1000 Series Routers.
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.
Contents
•
Restrictions for Encrypted Preshared Key
•
•
•
Restrictions for Encrypted Preshared Key
•
•
Information About Encrypted Preshared Key
Before Using the Encrypted Preshared Key feature, you should understand the following concepts:
•
•
Using the Encrypted Preshared Key Feature to Securely Store Passwords
Using the Encrypted Preshared Key feature, you can securely store plain text passwords in type 6 format in NVRAM using a command-line interface (CLI). Type 6 passwords are encrypted. Although the encrypted passwords can be seen or retrieved, it is difficult to decrypt them to find out the actual password. Use the key config-key password-encryption command with the password encryption aes command to configure and enable the password (symmetric cipher AES is used to encrypt the keys). The password (key) configured using the config-key password-encryption command is the master encryption key that is used to encrypt all other keys in the router.
If you configure the password encryption aes command without configuring the key config-key password-encryption command, the following message is printed at startup or during any nonvolatile generation (NVGEN) process, such as when the show running-config or copy running-config startup-config commands have been configured:
"Can not encrypt password. Please configure a configuration-key with `key config-key'"Changing a Password
If the password (master key) is changed, or reencrypted, using the key config-key password-encryption command), the list registry passes the old key and the new key to the application modules that are using type 6 encryption.
Deleting a Password
If the master key that was configured using the key config-key password-encryption command is deleted from the system, a warning is printed (and a confirm prompt is issued) that states that all type 6 passwords will become useless. As a security measure, after the passwords have been encrypted, they will never be decrypted in the Cisco IOS software. However, passwords can be reencrypted as explained in the previous paragraph.
Caution
Unconfiguring Password Encryption
If you later unconfigure password encryption using the no password encryption aes command, all existing type 6 passwords are left unchanged, and as long as the password (master key) that was configured using the key config-key password-encryption command exists, the type 6 passwords will be decrypted as and when required by the application.
Storing Passwords
Because no one can "read" the password (configured using the key config-key password-encryption command), there is no way that the password can be retrieved from the router. Existing management stations cannot "know" what it is unless the stations are enhanced to include this key somewhere, in which case the password needs to be stored securely within the management system. If configurations are stored using TFTP, the configurations are not standalone, meaning that they cannot be loaded onto a router. Before or after the configurations are loaded onto a router, the password must be manually added (using the key config-key password-encryption command). The password can be manually added to the stored configuration but is not recommended because adding the password manually allows anyone to decrypt all passwords in that configuration.
Configuring New or Unknown Passwords
If you enter or cut and paste cipher text that does not match the master key, or if there is no master key, the cipher text is accepted or saved, but an alert message is printed. The alert message is as follows:
"ciphertext>[for username bar>] is incompatible with the configured master key."If a new master key is configured, all the plain keys are encrypted and made type 6 keys. The existing type 6 keys are not encrypted. The existing type 6 keys are left as is.
If the old master key is lost or unknown, you have the option of deleting the master key using the no key config-key password-encryption command. Deleting the master key using the no key config-key password-encryption command causes the existing encrypted passwords to remain encrypted in the router configuration. The passwords will not be decrypted.
Enabling the Encrypted Preshared Key
The password encryption aes command is used to enable the encrypted password.
How to Configure an Encrypted Preshared Key
This section contains the following procedures:
•
•
•
•
•
•
•
Configuring an Encrypted Preshared Key
To configure an encrypted preshared key, perform the following steps.
SUMMARY STEPS
1.
2.
3.
4.
DETAILED STEPS
Troubleshooting Tips
If you see the warning message "ciphertext >[for username bar>] is incompatible with the configured master key," you have entered or cut and pasted cipher text that does not match the master key or there is no master key. (The cipher text will be accepted or saved.) The warning message will allow you to locate the broken configuration line or lines.
Monitoring Encrypted Preshared Keys
To get logging output for encrypted preshared keys, perform the following steps.
1.
2.
DETAILED STEPS
Examples
The following password logging debug output shows that a new master key has been configured and that the keys have been encrypted with the new master key:
Router (config)# key config-key password-encryptNew key:Confirm key:Router (config)#01:40:57: TYPE6_PASS: New Master key configured, encrypting the keys withthe new master keypasRouter (config)# key config-key password-encryptOld key:New key:Confirm key:Router (config)#01:42:11: TYPE6_PASS: Master key change heralded, re-encrypting the keyswith the new master key01:42:11: TYPE6_PASS: Mac verification successful01:42:11: TYPE6_PASS: Mac verification successful01:42:11: TYPE6_PASS: Mac verification successfulWhat To Do Next
You can perform any of the following procedures. Each procedure is independent of the others.
•
•
•
•
•
Configuring an ISAKMP Preshared Key
To configure an ISAKMP preshared key, perform the following procedure.
SUMMARY STEPS
1.
2.
3.
4.
DETAILED STEPS
Example
The following sample output shows that an encrypted preshared key has been configured:
crypto isakmp key 6 _Hg[^^ECgLGGPF^RXTQfDDWQ][YAAB address 10.2.3.4crypto isakmp key 6 `eR\eTRaKCUZPYYQfDgXRWi_AAB hostname foo.comConfiguring an ISAKMP Preshared Key in ISAKMP Keyrings
To configure an ISAKMP preshared key in ISAKMP keyrings, which are used in IPSec Virtual Route Forwarding (VRF) configurations, perform the following procedure.
SUMMARY STEPS
1.
2.
3.
4.
5.
DETAILED STEPS
Example
The following show-running-config sample output shows that an encrypted preshared key in ISAKMP keyrings has been configured.
crypto keyring foopre-shared-key address 10.2.3.5 key 6 `WHCJYR_Z]GRPF^RXTQfDcfZ]GPAABpre-shared-key hostname foo.com key 6 aE_REHDcOfYCPF^RXTQfDJYVVNSAABConfiguring ISAKMP Aggressive Mode
To configure ISAKMP aggressive mode, perform the following steps.
SUMMARY STEPS
1.
2.
3.
4.
5.
DETAILED STEPS
Example
The following show-running-config sample output shows that an encrypted preshared key in ISAKMP aggressive mode has been configured.
crypto isakmp peer address 10.2.3.4set aggressive-mode password 6 ^aKPIQ_KJE_PPF^RXTQfDTIaLNeAABset aggressive-mode client-endpoint fqdn cisco.comConfiguring a Unity Server Group Policy
To configure a unity server group policy, perform the following steps.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
DETAILED STEPS
Example
The following show-running-config sample output shows that an encrypted key has been configured for a unity server group policy:
crypto isakmp client configuration group fookey 6 cZZgDZPOE\dDPF^RXTQfDTIaLNeAABdomain cisco.compool foopoolConfiguring an Easy VPN Client
To configure an Easy VPN client, perform the following steps.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
DETAILED STEPS
Example
The following show-running-config sample output shows that an Easy VPN client has been configured. The key has been encrypted.
crypto ipsec client ezvpn fooconnect manualgroup foo key 6 gdMI`S^^[GIcPF^RXTQfDFKEO\RAABmode clientpeer 10.2.3.4Configuration Examples for Encrypted Preshared Key
This section provides the following configuration examples:
•
•
•
•
•
Encrypted Preshared Key: Example
The following is an example of a configuration for which a type 6 preshared key has been encrypted. It includes the prompts and messages that a user might see.
Router (config)# crypto isakmp key cisco address 10.0.0.2Router (config)# exitRouter# show runnning-config | include crypto isakmp keycrypto isakmp key cisco address 10.0.0.2Router#Router# configure terminalEnter configuration commands, one per line. End with CNTL/Z.Router (config)# password encryption aesRouter (config)# key config-key password-encryptNew key:Confirm key:Router (config)#01:46:40: TYPE6_PASS: New Master key configured, encrypting the keys withthe new master keyRouter (config)# exitRouter # show running-config | include crypto isakmp keycrypto isakmp key 6 CXWdhVTZYB_Vcd^`cIHDOahiFTa address 10.0.0.2No Previous Key Present: Example
In the following configuration example, no previous key is present:
Router (config)# key config-key password-encryption testkey 123Key Already Exists: Example
In the following configuration example, a key already exists:
Router (config)# key config-key password-encryption testkey123Old key:Router (config)#Key Already Exists But the User Wants to Key In Interactively: Example
In the following configuration example, the user wants to key in interactively, but a key already exists. The Old key, New key, and Confirm key prompts will show on your screen if you enter the key config-key password-encryption command and press the enter key to get into interactive mode.
Router (config)# key config-key password-encryptionOld key:New key:Confirm key:No Key Present But the User Wants to Key In Interactively: Example
In the following example, the user wants to key in interactively, but no key is present. The New key and Confirm key prompts will show on your screen if you are in interactive mode.
Router (config)# key config-key password-encryptionNew key:Confirm key:Removal of the Password Encryption: Example
In the following configuration example, the user wants to remove the encrypted password. The "WARNING: All type 6 encrypted keys will become unusable. Continue with master key deletion? [yes/no]:" prompt will show on your screen if you are in interactive mode.
Router (config)# no key config-key password-encryptionWARNING: All type 6 encrypted keys will become unusable. Continue with master key deletion ? [yes/no]: yWhere to Go Next
Configure any other preshared keys.
Additional References
The following sections provide references related to Encrypted Preshared Key.
Related Documents
Configuring passwords
•
•
Standards
MIBs
RFCs
Technical Assistance
Command Reference
The following commands are introduced or modified in the feature or features documented in this module. For information about these commands, see the Cisco IOS Security Command Reference at http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_book.html. For information about all Cisco IOS commands, go to the Command Lookup Tool at http://tools.cisco.com/Support/CLILookup or to the Cisco IOS Master Commands List.
•
•
•
•
•
•
•
•
CCDE, CCENT, CCSI, Cisco Eos, Cisco HealthPresence, Cisco IronPort, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco Nurse Connect, Cisco StackPower, Cisco StadiumVision, Cisco TelePresence, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flip Video, Flip Video (Design), Flipshare (Design), Flip Ultra, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Store, and Flip Gift Card are service marks; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0907R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
© 2007 Cisco Systems, Inc. All rights reserved.
