Ciscoworks LMS RME / ASA Firewall configuration pre-shared key savings

Does anybody know the concept about saving pre-shared by Ciscoworks LMS /RME ?
Is there a way to get the unencrypted values from Ciscoworks LMS /RME for an ASA Firewall ?
ASA config. saved with RME
pre-shared-key *
ASA config. saved to TFTP from ASA
pre-shared-key 1ZdmaKVwEkQ66nD37d9kA9fj9z75

If you enable "shadow directory" (RME - Admin - Config Mgmt - Archive Mgmt - Archive Settings), you can find the raw configs in locations such as /var/adm/CSCOpx/files/rme/dcma/shadow/Security_and_VPN/PRIMARY on Solaris, or its Windows equivalent, after one requisite cycle of Periodic Polling and/or Periodic Collection. That's the same config one'd get saving to TFTP manually.
However, I don't recall how to unscramble the "asterisks" in the RME GUI, if at all possible.

Similar Messages

  • Show clear text pre shared key asa 5500.....

    I have read several of the posts on how to show your pre shared keys in clear text.  I am in the process of converting a 5520 over to a 5525-x and I got to the point where I need the pre-shared keys
    the    more system:running-config     command does NOT show the clear text of the keys nor does access the file via https:// either.
    the 5520 is running Software Version 8.4(2)18
    any thoughts how I can wrestle this info out of the asa as I'm not getting anywhere with what seems to have worked for a few others.
    Thank in advance
    Sincerely
    Paul

    The command  more system:run  should show you those keys.
    Couple things that I have seen
    I have seen it where someone configured pre-shared key by cutting and pasting the key as it is shown when you do a show run, so it was entered as ****. You can check this buy entering a dummy config with a key and then run the more system:run and see if it shows up.
    also check the privilege level of your login and make sure it is 15.
    Mike

  • ASA Iphone, Ipad VPN client pre-shared key (PSK) special characters bug

    I ran into this in a deployment of IPSec clients with apple ipad and iphone native vpn client. Here are details:
    Cisco ASA 8.2.5 OS
    Ipad, running 5.0.1
    Iphone i4S, running OS 5.0.1
    Special characters make your pre-shared key more secure, so i used a password generator app to make one that coincidently included a " (quotation mark). After configuring this PSK on a Ipad, i was unable to connect. I saw nothing in the ASA logs, indicating the Ipad didnt even try to connect.
    The Ipad generated the following error message:
    VPN Connection
    A configuration error occured
    OK Button
    After searching for quite some time, i found this somewhat obscure reference to the bug:
    http://blogs.oreilly.com/iphone/2008/07/strong-passwords-can-hurt.html
    Special thx to this guy!
    So i started to test special characters to see what would work, adding in 1 character at a time. Here is where I stopped:
    pre-shared-key !@#$%^&*()_-+=;:'<>,.
    These characters worked in the PSK. If you are curious, and want to play, have fun. I assume the alphnumerics will work since those are pretty standard.
    As a side note, here are a few more interesting items:
    1) The " (quote mark) does work when you run the real cisco vpn client. This was successful on a Windows 7 laptop with 5.X VPN Client.
    2) The ? (question mark) doesnt work as well, but that is a little easier to figure out because when you configure it on the ASA, context-sensitive help kicks in and knocks you off the config line.
    3) Iphone I4S suffers from the same issue - doesnt like quotes.
    4) Android is probably not affected by this bug, but I tested on an open source TUN driver- enabled adroid - not the bionic.
    Hope that saves someone some time, sometime!
    W

    Thanks for the tip.
    Help stamp out special characters in passwords. Their "strength" is a myth!
    Explained nicely here: http://xkcd.com/936/

  • ASA Pre shared key

    I am currently using an ASA 5550 version 8.2 anwith ASDM version 6.2.
    I have a ASA 5505 in remote area and cannot connect via VPN.
    My logs say maybe mismatched pre-shared key.
    On my 5550, via the ASDM I used the command more system:running-config and it will not show my pre shared key in plain text, only shows a *.
    Any help would be appreciated.

    Remote asa:
    interface Vlan1
    nameif inside
    security-level 100
    ip address 10.200.1.209 255.255.255.240
    interface Vlan2
    nameif outside
    security-level 0
    ip address 172.25.62.226 255.255.255.248
    interface Ethernet0/0
    switchport access vlan 2
    interface Ethernet0/1
    interface Ethernet0/2
    interface Ethernet0/3
    interface Ethernet0/4
    interface Ethernet0/5
    interface Ethernet0/6
    interface Ethernet0/7
    ftp mode passive
    access-list nonat extended permit ip 10.200.1.208 255.255.255.240 10.199.1.0 255                                                                                                 .255.255.0
    access-list nonat extended permit ip 10.200.1.208 255.255.255.240 10.10.144.0 25                                                                                                 5.255.252.0
    access-list VPNL2L extended permit ip 10.200.1.208 255.255.255.240 10.199.1.0 25                                                                                                 5.255.255.0
    access-list VPNL2L extended permit ip 10.200.1.208 255.255.255.240 10.10.144.0 2                                                                                                 55.255.252.0
    access-list 100 extended permit tcp host 89.254.12.35 host 10.200.1.213 eq www
    pager lines 24
    mtu inside 1500
    mtu outside 1500
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    nat (inside) 0 access-list nonat
    nat (inside) 1 0.0.0.0 0.0.0.0
    route outside 0.0.0.0 0.0.0.0 172.25.62.225 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    crypto ipsec transform-set mytrans esp-des esp-md5-hmac
    crypto map mymap 10 match address VPNL2L
    crypto map mymap 10 set peer 65.181.59.210
    crypto map mymap 10 set transform-set mytrans
    crypto map mymap 10 set security-association lifetime seconds 3600
    crypto map mymap interface outside
    crypto isakmp identity address
    crypto isakmp enable outside
    crypto isakmp policy 10
    authentication pre-share
    encryption des
    hash md5
    group 2
    lifetime 86400
    crypto isakmp nat-traversal  21
    telnet timeout 5
    ssh 10.199.1.0 255.255.255.0 inside
    ssh 10.10.144.0 255.255.252.0 inside
    ssh timeout 5
    console timeout 0
    tunnel-group 65.181.59.210 type ipsec-l2l
    tunnel-group 65.181.59.210 ipsec-attributes
    pre-shared-key *
    class-map inspection_default
    match default-inspection-traffic
    policy-map type inspect dns preset_dns_map
    parameters
      message-length maximum 512
    policy-map global_policy
    class inspection_default
      inspect dns preset_dns_map
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect netbios
      inspect rsh
      inspect rtsp
      inspect skinny
      inspect esmtp
      inspect sqlnet
      inspect sunrpc
      inspect tftp
      inspect sip
      inspect xdmcp
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:65a0d93601b90ccc07830cddd673e13c
    : end
    Local ASA:
    ASA Version 8.2(1)
    interface GigabitEthernet0/0
    nameif outside
    security-level 0
    ip address 65.181.59.210 255.255.255.240
    interface GigabitEthernet0/1
    nameif inside
    security-level 100
    ip address 10.199.1.2 255.255.255.0
    interface GigabitEthernet0/2
    nameif insideNOV
    security-level 100
    ip address 10.10.144.47 255.255.252.0
    interface GigabitEthernet0/3
    shutdown
    no nameif
    security-level 100
    no ip address
    interface Management0/0
    shutdown
    nameif management
    security-level 100
    ip address 192.168.1.1 255.255.255.0
    management-only
    interface GigabitEthernet1/0
    shutdown
    no nameif
    no security-level
    no ip address
    interface GigabitEthernet1/1
    shutdown
    no nameif
    no security-level
    no ip address
    interface GigabitEthernet1/2
    shutdown
    no nameif
    no security-level
    no ip address
    interface GigabitEthernet1/3
    shutdown
    no nameif
    no security-level
    no ip address
    ftp mode passive
    clock timezone MST -7
    clock summer-time MDT recurring
    dns server-group DefaultDNS
    domain-name Rignet
    same-security-traffic permit inter-interface
    same-security-traffic permit intra-interface
    object-group service WML tcp
    description Remote wits data access
    port-object range 1 65535
    access-list aclin extended permit object-group DM_INLINE_PROTOCOL_9 any host 65.181.59.219
    access-list aclin extended permit object-group DM_INLINE_SERVICE_3 any host 65.181.59.216
    access-list aclin extended permit object-group DM_INLINE_PROTOCOL_6 any host 65.181.59.220
    access-list aclin extended permit object-group DM_INLINE_PROTOCOL_5 host 10.199.1.2 host 65.181.59.210
    access-list aclin extended permit object-group DM_INLINE_SERVICE_1 any host 65.181.59.222
    access-list no-nat remark Local Rules
    access-list no-nat extended permit ip Rignet 255.255.255.0 10.10.144.0 255.255.252.0
    access-list no-nat remark Local Rules
    access-list no-nat extended permit ip 10.10.144.0 255.255.252.0 10.200.1.80 255.255.255.240
    access-list no-nat extended permit ip Rignet 255.255.255.0 ENI 255.255.255.240
    access-list no-nat extended permit ip 10.10.144.0 255.255.252.0 ENI 255.255.255.240
    access-list no-nat extended permit ip Rignet 255.255.255.0 Norway_Office 255.255.255.240
    access-list no-nat extended permit ip 10.10.144.0 255.255.252.0 Norway_Office 255.255.255.240
    access-list no-nat extended permit ip Rignet 255.255.255.0 BobbyVPN 255.255.255.0
    access-list no-nat extended permit ip 10.10.144.0 255.255.252.0 BobbyVPN 255.255.255.0
    access-list inside_access_in extended permit ip any any
    access-list inside_access_in extended permit tcp any any
    access-list inside_access_in extended permit icmp any any
    access-list inside_access_in extended permit tcp interface inside any
    access-list inside_access_in remark Block port 135 for port scanning
    access-list inside_access_in extended deny 135 any any
    access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_4 10.10.144.0 255.255.252.0 Rignet 255.255.255.0
    access-list test extended permit icmp any any echo
    access-list test extended permit icmp any any echo-reply
    access-list InsideNOV_access_in extended permit ip 10.200.0.0 255.255.0.0 10.10.144.0 255.255.252.0
    access-list InsideNOV_access_in extended permit object-group DM_INLINE_SERVICE_7 any any
    access-list InsideNOV_access_in extended permit object-group DM_INLINE_SERVICE_4 Rignet 255.255.255.0 10.10.144.0 255.255.252.0
    access-list InsideNOV_access_in extended permit object-group DM_INLINE_PROTOCOL_12 Norway_Office 255.255.255.240 10.10.144.0 255.255.252.0
    access-list InsideNOV_access_in extended permit object-group DM_INLINE_PROTOCOL_8 BobbyVPN 255.255.255.0 10.10.144.0 255.255.252.0
    access-list inside_acl extended permit object-group DM_INLINE_SERVICE_8 any any
    access-list inside_acl extended permit object-group DM_INLINE_SERVICE_5 10.10.144.0 255.255.252.0 Rignet 255.255.255.0
    access-list inside_acl extended permit object-group DM_INLINE_SERVICE_6 Rignet 255.255.255.0 10.10.144.0 255.255.252.0
    access-list inside_acl extended permit object-group DM_INLINE_PROTOCOL_10 10.200.0.0 255.255.0.0 Rignet 255.255.255.0
    access-list inside_acl extended deny object-group DM_INLINE_PROTOCOL_11 host 192.168.56.1 any
    access-list inside_access_in_1 extended permit object-group DM_INLINE_PROTOCOL_1 any any
    access-list inside_access_in_1 extended permit object-group DM_INLINE_PROTOCOL_2 10.10.144.0 255.255.252.0 Rignet 255.255.255.0
    access-list inside_access_in_1 extended permit ip Rignet 255.255.255.0 Rignet 255.255.255.0
    access-list inside_access_in_1 extended permit object-group DM_INLINE_PROTOCOL_7 BobbyVPN 255.255.255.0 Rignet 255.255.255.0
    access-list inside_access_in_2 extended permit object-group DM_INLINE_SERVICE_11 Rignet 255.255.255.0 Rignet 255.255.255.0
    pager lines 24
    logging enable
    logging asdm informational
    no logging message 106015
    no logging message 313001
    no logging message 313008
    no logging message 106023
    no logging message 710003
    no logging message 106100
    no logging message 302015
    no logging message 302014
    no logging message 302013
    no logging message 302018
    no logging message 302017
    no logging message 302016
    no logging message 302021
    no logging message 302020
    mtu outside 1500
    mtu inside 1500
    mtu insideNOV 1500
    mtu management 1500
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    icmp permit any insideNOV
    icmp permit any echo-reply insideNOV
    icmp permit any echo insideNOV
    asdm image disk0:/asdm-621.bin
    no asdm history enable
    arp timeout 14400
    global (outside) 1 interface
    global (inside) 2 65.181.57.51 netmask 255.255.255.255
    nat (outside) 1 0.0.0.0 0.0.0.0
    nat (inside) 0 access-list no-nat
    nat (inside) 1 Rignet 255.255.255.0
    nat (inside) 1 0.0.0.0 0.0.0.0
    static (inside,outside) 65.181.59.222 10.199.1.23 netmask 255.255.255.255
    static (inside,outside) 65.181.59.219 10.199.1.27 netmask 255.255.255.255
    static (inside,outside) 65.181.59.216 10.199.1.54 netmask 255.255.255.255
    static (inside,outside) 65.181.59.220 10.199.1.26 netmask 255.255.255.255
    access-group aclin in interface outside
    access-group inside_access_in_1 in interface inside
    access-group InsideNOV_access_in in interface insideNOV
    route outside 0.0.0.0 0.0.0.0 65.181.59.209 1
    route inside 153.15.156.217 255.255.255.255 65.181.57.51 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
    timeout tcp-proxy-reassembly 0:01:00
    dynamic-access-policy-record DfltAccessPolicy
    aaa authentication http console LOCAL
    aaa authentication ssh console LOCAL
    aaa authorization command LOCAL
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    snmp-server enable traps syslog
    snmp-server enable traps ipsec stop
    snmp-server enable traps entity config-change
    sysopt connection tcpmss 1100
    sysopt noproxyarp inside
    crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
    crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
    crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
    crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
    crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
    crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
    crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
    crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
    crypto ipsec transform-set mySET esp-des esp-md5-hmac
    crypto ipsec security-association lifetime seconds 28800
    crypto ipsec security-association lifetime kilobytes 4608000
    crypto dynamic-map myDYN-MAP 5 set transform-set mySET
    crypto dynamic-map myDYN-MAP 5 set security-association lifetime seconds 28800
    crypto dynamic-map myDYN-MAP 5 set security-association lifetime kilobytes 4608000
    crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
    crypto map myMAP 65000 ipsec-isakmp dynamic myDYN-MAP
    crypto map myMAP interface outside
    crypto ca trustpoint Intelliserv.rignet.local
    enrollment terminal
    subject-name CN=Rignet5550
    keypair IntelliServ.rignet.local
    crl configure
    crypto ca trustpoint ASDM_TrustPoint3
    crl configure
    crypto ca trustpoint ASDM_TrustPoint0
    enrollment terminal
    subject-name CN=Rignet5550
    password *
    crl configure
    crypto isakmp identity address
    crypto isakmp enable outside
    crypto isakmp policy 1
    authentication pre-share
    encryption des
    hash md5
    group 2
    lifetime 86400
    crypto isakmp nat-traversal 21
    telnet timeout 5
    console timeout 0
    management-access inside
    no threat-detection basic-threat
    threat-detection statistics access-list
    no threat-detection statistics tcp-intercept
    webvpn
    group-policy DfltGrpPolicy attributes
    vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
    group-policy myGROUP internal
    group-policy myGROUP attributes
    split-tunnel-policy tunnelspecified
    nem enable
    username GaileyB password 0oaTL6AGb4l6JKde encrypted privilege 15
    username rignetadmin password 3R8hQCl0jw5iU/r3 encrypted privilege 15
    tunnel-group DefaultL2LGroup ipsec-attributes
    pre-shared-key *
    tunnel-group mytunnel type remote-access
    tunnel-group mytunnel general-attributes
    default-group-policy myGROUP
    tunnel-group mytunnel ipsec-attributes
    pre-shared-key *
    tunnel-group 164.85.0.18 type ipsec-l2l
    tunnel-group 164.85.0.18 ipsec-attributes
    peer-id-validate cert
    chain
    tunnel-group-map default-group DefaultL2LGroup
    class-map inspection_default
    match default-inspection-traffic
    policy-map global_policy
    class inspection_default
      inspect ftp
      inspect h323 h225
      inspect h323 ras
      inspect rsh
      inspect rtsp
      inspect esmtp
      inspect sqlnet
      inspect skinny 
      inspect sunrpc
      inspect xdmcp
      inspect sip 
      inspect netbios
      inspect tftp
    class class-default
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:a84cff45794fa5021237d51d5f87461e
    : end

  • Configuring a Pre-Shared Key on gateway device

    Mr. VRuhil thank you for taht link that you sent me but unfortunately it did not help. ( the link for cisco vpn client v5.0)
    What i really need is CISCO SECURE VPN CLIENT v1.0 or v1.1. Yes i know that its in the EOS/EOL now
    Am using this configuration on my gateway device
    Task 1—Configuring a Pre-Shared Key
    And this configurations on the client side is what i wanted to do.
    Task 2---Network Security policy:
    1- Myconn
             My Identity = ip address
                     Connection security: Secure
                     Remote Party Identity and addressing
                             ID Type: IP subnet
                             10.21.1.0 (range of inside network)
                             Port all Protocol all
                     Connect using secure tunnel
                             ID Type: IP address
                             99.99.99.1
                             Pre-shared key = cisco1234
             Authentication (Phase 1)
             Proposal 1
                     Authentication method: pre-shared key
                     Encryp Alg: DES
                     Hash Alg: MD5
                     SA life: Unspecified
                     Key Group: DH 1
             Key exchange (Phase 2)
             Proposal 1
                     Encapsulation ESP
                     Encrypt Alg: DES
                     Hash Alg: MD5
                     Encap: tunnel
                     SA life: Unspecified
                     no AH
    2- Other Connections
                 Connection security: Non-secure
                 Local Network Interface
                     Name: Any
                     IP Addr: Any
                     Port: All
    With Xauth enabled on the router, when the user tries to connect to a device inside the router (here a ping -t #.#.#.# was performed), a gray screen appears:
    User Authentication for 3660
    Username:
    Password:

    In order to use your USB ADSL modem as a Wlan you will need to get a wireless router. Alternative is to replace your current modem with a wireless modem/router.
    The Pre-shared key is set on the wireless router and acts as a password to protect against uninvited access.

  • AnyConnect and Pre-Shared Keys

    Hello,
    I am extremely new to AnyConnect and VPN, so I have a few questions for you guys. I am trying to configure an AnyConnect Client on Android to connect to my ASA 5505 via IPSEC. It's configured with (I believe) IKEv1 with pre-shared key and group identifier. I think IKEv2 is certificate based only, and I am not using certificates at this time. I can't seem to find any settings in the app to configure it this way... Can the AnyConnect client connect to this type of connection? If so, what may I be missing? I can configure the default VPN client built into Android and it works fine, but I am being told to use the AnyConnect client. If you need more info, let me know, I'm not sure what to put on here to give the info needed to help. Thanks!

    Believe I found my answer:
    Cisco AnyConnect VPN
    Q. I see that the Cisco AnyConnect Secure Mobility Client supports IPsec. Will Cisco AnyConnect Secure Mobility Client work with Cisco VPN 3000 Series concentrators?
    A. No. Cisco VPN 3000 Series concentrators support IPsec/IKEv1. Cisco AnyConnect Secure Mobility Client Version 3.0 and greater supports IPsec/IKEv2 connectivity but not IPsec/IKEv1.
    From http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5743/ps5699/ps10884/qa_c67-712937_ns1049_Networking_Solutions_Q_and_A.html
    If there is a workaround or something, please let me know. If not, oh well!

  • Mobile Devices (Android and iOS) cannot Connect to WS 2008 RRAS L2TP VPN with Pre-Shared Key

    I have my Windows Server 2008 standard installed with RRAS service and configure with L2TP VPN with pre-shared key. Services such as Active Directory, DHCP and DNS are not installed. The Internet connection doesn't pass through a router to my server machine.
    I have the Verizon fios Internet cable plugged in to the server machine directly.
    PCs running Windows and Mac OS X can connect to the server without problem. When I tried to connect by using android or iOS mobiles and tablets, they cannot connect to the server. If I change the VPN type to PPTP, the mobile devices can connect successfully
    but I would like to use IPSec/L2TP since it's more secure.
    I tried so hard to look for the solution for this issue on Internet but I had no luck on that. Can anyone please provide me some help, please ?
    Thanks,
    CK

    Hi CK,
    I think we may need to create a policy in Network Policies. Please follow the steps below,
    Right click Network Policies, Click New.
    Enter the policy name, click Next.
    Click Add, select the Day and Time Restrictions, click
    Add.
    In the Day and Time Restrictions, choose Permited for
    all, click OK.
    Click Next five times(leave everything default), click
    Finish.
    Move the policy to top and try to connect with your device.
    If issue persists, please make sure that the Connection Requet Policies have been configured properly.
    For detailed information about how to create a network policy, please refer to the link below,
    Configuring NPS network policies
    http://technet.microsoft.com/en-us/library/dd441006.aspx
    Best Regards.
    Steven Lee
    TechNet Community Support

  • Wireless data encryption without pre-shared keys?

    Is there anyway to secure the data transmitted wirelessly without using pre-shared keys for encryption? I'm trying to allow residents to connect to the wireless network without having to go around and put wireless keys on all laptops.

    You could look into 802.1X with certificates. This still requires a certificate to be downloaded to the client, but there are several automated ways of doing this.
    You will need a certificate authority, and a RADIUS server (such as ACS). There's loads of documentation on CCO on how to configure this.
    HTH

  • Crypto/pre-shared keys to crypto/pki worth doing?

    Hi,
    I have 10 VPN's that come into my ASA 5520, they all use pre-shared keys (and AES-256/sha), is it worth moving to pki instead?

    PKI provides customers with a scalable, secure mechanism for distributing, managing, and revoking encryption and identity information in a secured data network. Every entity (a person or a device) participating in the secured communications is enrolled in the PKI , a process where the entity generates a Rivest, Shamir, and Adelman (RSA) key pair (one private key and one public key) and has their identity validated by a trusted entity (also known as a CA or trustpoint).

  • Pre shared keys used in IKE Phase 1

    Hi Everyone,
    Need to confirm if we can use the Pre shared keys in Aggressive mode and also in Main mode during IKE Phase1
    Regards
    MAhesh

    The pre-shared key is used in both modes of IKE Phase I. With pre-shared keys, the same pre-shared key is configured on each IPSec peer. IKE peers authenticate each other by computing and sending a keyed hash of data that includes the pre-shared key.

  • Pre-shared key should be at least 256 bits of cryptographically random data

    Hi all,
    i need some info, i got a client IPSEC VPN form.
    they asked that (Pre-shared key should be at least 256 bits of cryptographically random data)
    what does that really mean?
    Key consisting of 256 characters like abcdefg......till256 characters are done ?           
    or it means encryption we define in policy like
    crypto isakmp policy 8
    authentication  pre-share
    encryption  aes-256 ????????
    Please help me to understand this requirement for my cisco asa.

    64 hex characters  =  256 binary bits
    Michael
    Please rate all helpful posts

  • Pre-Shared key

    Hi All,
    i just have a quick quest.
    what are the characters that i can use in my Pre-Shared key to establish VPN tunnel? i'm wondering can i use the following characters: ! @ # $ _
    Thanks in advance...

    Hi, I just experienced a problem the may be related to these special characters. I didn't test fully so take this advice with a bit of caution: Under ASA 7.23 OS and possible other OS versions, using special characters in keys causes the key to become deformed, or invalid (don't know which). I upgraded to OS 8.X, re-entered the pre-shared key with special characters and it worked.

  • Pre-shared Key Off-line Bruteforcing Using IKE Aggressive Mode

    Hi, I have 10 site-to-site VPN's, they consist of Cisco 837's and 877's. I run a security scan (Qualys vulnerability scanning) against the public IP of the routers and half of them come back with the vulnerability below. They are all using the latest IOS and all connect to a Cisco Concentrator.
    Here is the vulnerability, that means nothing to me, is it anything to worry about, all pre-shared keys are 8 characters or more and have letters, numbers, and symbols and capital letters:
    Pre-shared Key Off-line Bruteforcing Using IKE Aggressive Mode
    THREAT:
    IKE is used during Phase 1 and Phase 2 of establishing an IPSec connection. Phase 1 is where the two ISAKMP peers establish a secure, authenticated channel with which to communicate. Every participant in IKE must possess a key which may be either pre-shared (PSK) or a public key. There are inherent risks to configurations that use pre-shared keys which are exaggerated when Aggressive Mode is used.
    IMPACT:
    Using Aggressive Mode with pre-shared keys is the least secure option. In this particular scenario, it is possible for an attacker to gather all necessary information in order to mount an off-line dictionary (brute force) attack on the pre-shared keys. For more information about this type of attack, visit http://www.ima.umn.edu/~pliam/xauth/.
    SOLUTION:
    IKE Aggressive mode with pre-shared keys should be avoided where possible. Otherwise a strong pre-shared key should be chosen.
    Note that this attack method has been known and discussed within the IETF IPSec Working Group. The risk was considered as acceptable. For more information on this, visit http://www.vpnc.org/ietf-ipsec/99.ipsec/thrd2.html#01451.

    The description of the vulnerability specifies IKE aggressive mode. So my first question would be whether you are using IKE in aggressive mode or in main mode? In my experience most router based site to site VPN use main mode (though aggressive mode is an option) while many Remote Access VPN use aggressive mode. So which mode are you using?
    The second part of my response goes back to what I said in my earlier response. What kind of key are you using? How long is it and how strong is it? When you think about it any time we authenticate using shared keys there is some degree of vulnerability to brute force attack. The longer the key and the stronger the key the more you have mitigated the risk.
    HTH
    Rick

  • WLC: Need to change pre-shared key with a script

    Hello,
    I need to change pre-shared key on a Guest Wi-Fi with a script.
    Does anybody has an idea how to find the right entry in the WLC 2125 MIB to change it through SNMP?
    Gorazd

    Hi,
    That is a textFramePreferences property
    mySelection.textFramePreferences.verticalThreshold = Number (range 0- 8640)
    ID Object Reference says:
    "...The maximum amount of vertical space between two paragraphs. Note: Valid only when vertical justification is justified; the specified amount is applied in addition to the space before or space after values defined for the paragraph..."

  • Wlan Pre-shared key

    I have an n97 mini and I'm trying to get access to a wireless open network ( there is no padlock next to the strenght signal) but it is showing 'enter wlan pre-shared key' but if its open why should I enter a password. Help please

    You could try setting up your access point as follows.
    Goto Settings>Connectivity>Settings>Destinations>Add new access point. If it still does not store your passphrase, select the access point you have just set up then goto WLAN security settings>Pre-shared key and enter it here manually.

Maybe you are looking for

  • Contacts Envelope Print Error

    I have figured out how to print an envelope with a return address, and proper layout even without the bar code (Hello Apple - it's 2015) and the limited text formatting options, but now Contacts prints two envelopes with each print request. The probl

  • Table Maintenance View Generator - 46C to 60 compatibility

    Table Maintenance View Generator - 46C to 60 compatibility I think SAP changed the way it generated its View Maintenance Screens some time after release 46C such that view maintenance dialogs in 46C are maintainable in subsequent releases but that vi

  • Display pages that reacts to different values in the drop down list.

    I currently did up a simple drop down list that stores values retrieved from the database. I would like the program to display pages that reacts to the selected value without the press of any button, which means, if I select any value from the drop d

  • System freezes sometimes after logging out of x

    For some reason when I go out of x the system (at that window) freezes so I cant input anything. I can kill the process from another tty. What is it that makes it so?

  • Dual Monitor Causes Taskbar to Dissapear

    I have a T410i with the docking station. I have two Samsung B2230 monitors attached via DVI. This works fine for a while, but eventually the Taskbar will dissapear. I can see the top pixel or two of it rendering at the bottom of the screen so I can t