How to Configure an Encrypted Preshared Key
Configuring Preshared Keys
Preshared keys do not scale well with a growing network.
enable configure terminal crypto isakmp identity address crypto isakmp key sharedkeystring address 192.168.1.33 no-xauth crypto isakmp key sharedkeystring address 10.0.0.1 end
If you see the warning message “ciphertext >[for username bar>] is incompatible with the configured master key,” you have entered or cut and pasted cipher text that does not match the master key or there is no master key. (The cipher text will be accepted or saved.) The warning message will allow you to locate the broken configuration line or lines.
Monitoring Encrypted Preshared Keys
enable configure terminal password logging end
Router (config)# key config-key password-encrypt New key: Confirm key: Router (config)# 01:40:57: TYPE6_PASS: New Master key configured, encrypting the keys with the new master keypas Router (config)# key config-key password-encrypt Old key: New key: Confirm key: Router (config)# 01:42:11: TYPE6_PASS: Master key change heralded, re-encrypting the keys with the new master key 01:42:11: TYPE6_PASS: Mac verification successful 01:42:11: TYPE6_PASS: Mac verification successful 01:42:11: TYPE6_PASS: Mac verification successful
Configuring ISAKMP Preshared Key
enable configure terminal crypto isakmp key cisco address 10.2.3.4 crypto isakmp key mykey hostname mydomain.com end
Configuring ISAKMP Preshared Key in ISAKMP Keyrings
enable configure terminal crypto keyring mykeyring pre-shared-key address 10.2.3.5 key cisco pre-shared-key hostname mydomain.com key cisco end
Configuring ISAKMP Aggressive Mode
enable configure terminal isakmp peer ip-address 10.2.3.4 set aggressive-mode client-endpoint fqdn cisco.com set aggressive-mode password cisco end