WLC: Need to change pre-shared key with a script
Hello,
I need to change pre-shared key on a Guest Wi-Fi with a script.
Does anybody has an idea how to find the right entry in the WLC 2125 MIB to change it through SNMP?
Gorazd
Hi,
That is a textFramePreferences property
mySelection.textFramePreferences.verticalThreshold = Number (range 0- 8640)
ID Object Reference says:
"...The maximum amount of vertical space between two paragraphs. Note: Valid only when vertical justification is justified; the specified amount is applied in addition to the space before or space after values defined for the paragraph..."
Similar Messages
-
Hi All,
i just have a quick quest.
what are the characters that i can use in my Pre-Shared key to establish VPN tunnel? i'm wondering can i use the following characters: ! @ # $ _
Thanks in advance...Hi, I just experienced a problem the may be related to these special characters. I didn't test fully so take this advice with a bit of caution: Under ASA 7.23 OS and possible other OS versions, using special characters in keys causes the key to become deformed, or invalid (don't know which). I upgraded to OS 8.X, re-entered the pre-shared key with special characters and it worked.
-
I have my Windows Server 2008 standard installed with RRAS service and configure with L2TP VPN with pre-shared key. Services such as Active Directory, DHCP and DNS are not installed. The Internet connection doesn't pass through a router to my server machine.
I have the Verizon fios Internet cable plugged in to the server machine directly.
PCs running Windows and Mac OS X can connect to the server without problem. When I tried to connect by using android or iOS mobiles and tablets, they cannot connect to the server. If I change the VPN type to PPTP, the mobile devices can connect successfully
but I would like to use IPSec/L2TP since it's more secure.
I tried so hard to look for the solution for this issue on Internet but I had no luck on that. Can anyone please provide me some help, please ?
Thanks,
CKHi CK,
I think we may need to create a policy in Network Policies. Please follow the steps below,
Right click Network Policies, Click New.
Enter the policy name, click Next.
Click Add, select the Day and Time Restrictions, click
Add.
In the Day and Time Restrictions, choose Permited for
all, click OK.
Click Next five times(leave everything default), click
Finish.
Move the policy to top and try to connect with your device.
If issue persists, please make sure that the Connection Requet Policies have been configured properly.
For detailed information about how to create a network policy, please refer to the link below,
Configuring NPS network policies
http://technet.microsoft.com/en-us/library/dd441006.aspx
Best Regards.
Steven Lee
TechNet Community Support -
AnyConnect and Pre-Shared Keys
Hello,
I am extremely new to AnyConnect and VPN, so I have a few questions for you guys. I am trying to configure an AnyConnect Client on Android to connect to my ASA 5505 via IPSEC. It's configured with (I believe) IKEv1 with pre-shared key and group identifier. I think IKEv2 is certificate based only, and I am not using certificates at this time. I can't seem to find any settings in the app to configure it this way... Can the AnyConnect client connect to this type of connection? If so, what may I be missing? I can configure the default VPN client built into Android and it works fine, but I am being told to use the AnyConnect client. If you need more info, let me know, I'm not sure what to put on here to give the info needed to help. Thanks!Believe I found my answer:
Cisco AnyConnect VPN
Q. I see that the Cisco AnyConnect Secure Mobility Client supports IPsec. Will Cisco AnyConnect Secure Mobility Client work with Cisco VPN 3000 Series concentrators?
A. No. Cisco VPN 3000 Series concentrators support IPsec/IKEv1. Cisco AnyConnect Secure Mobility Client Version 3.0 and greater supports IPsec/IKEv2 connectivity but not IPsec/IKEv1.
From http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5743/ps5699/ps10884/qa_c67-712937_ns1049_Networking_Solutions_Q_and_A.html
If there is a workaround or something, please let me know. If not, oh well! -
Show clear text pre shared key asa 5500.....
I have read several of the posts on how to show your pre shared keys in clear text. I am in the process of converting a 5520 over to a 5525-x and I got to the point where I need the pre-shared keys
the more system:running-config command does NOT show the clear text of the keys nor does access the file via https:// either.
the 5520 is running Software Version 8.4(2)18
any thoughts how I can wrestle this info out of the asa as I'm not getting anywhere with what seems to have worked for a few others.
Thank in advance
Sincerely
PaulThe command more system:run should show you those keys.
Couple things that I have seen
I have seen it where someone configured pre-shared key by cutting and pasting the key as it is shown when you do a show run, so it was entered as ****. You can check this buy entering a dummy config with a key and then run the more system:run and see if it shows up.
also check the privilege level of your login and make sure it is 15.
Mike -
Wireless data encryption without pre-shared keys?
Is there anyway to secure the data transmitted wirelessly without using pre-shared keys for encryption? I'm trying to allow residents to connect to the wireless network without having to go around and put wireless keys on all laptops.
You could look into 802.1X with certificates. This still requires a certificate to be downloaded to the client, but there are several automated ways of doing this.
You will need a certificate authority, and a RADIUS server (such as ACS). There's loads of documentation on CCO on how to configure this.
HTH -
Pre shared keys used in IKE Phase 1
Hi Everyone,
Need to confirm if we can use the Pre shared keys in Aggressive mode and also in Main mode during IKE Phase1
Regards
MAheshThe pre-shared key is used in both modes of IKE Phase I. With pre-shared keys, the same pre-shared key is configured on each IPSec peer. IKE peers authenticate each other by computing and sending a keyed hash of data that includes the pre-shared key.
-
Configuring a Pre-Shared Key on gateway device
Mr. VRuhil thank you for taht link that you sent me but unfortunately it did not help. ( the link for cisco vpn client v5.0)
What i really need is CISCO SECURE VPN CLIENT v1.0 or v1.1. Yes i know that its in the EOS/EOL now
Am using this configuration on my gateway device
Task 1—Configuring a Pre-Shared Key
And this configurations on the client side is what i wanted to do.
Task 2---Network Security policy:
1- Myconn
My Identity = ip address
Connection security: Secure
Remote Party Identity and addressing
ID Type: IP subnet
10.21.1.0 (range of inside network)
Port all Protocol all
Connect using secure tunnel
ID Type: IP address
99.99.99.1
Pre-shared key = cisco1234
Authentication (Phase 1)
Proposal 1
Authentication method: pre-shared key
Encryp Alg: DES
Hash Alg: MD5
SA life: Unspecified
Key Group: DH 1
Key exchange (Phase 2)
Proposal 1
Encapsulation ESP
Encrypt Alg: DES
Hash Alg: MD5
Encap: tunnel
SA life: Unspecified
no AH
2- Other Connections
Connection security: Non-secure
Local Network Interface
Name: Any
IP Addr: Any
Port: All
With Xauth enabled on the router, when the user tries to connect to a device inside the router (here a ping -t #.#.#.# was performed), a gray screen appears:
User Authentication for 3660
Username:
Password:In order to use your USB ADSL modem as a Wlan you will need to get a wireless router. Alternative is to replace your current modem with a wireless modem/router.
The Pre-shared key is set on the wireless router and acts as a password to protect against uninvited access. -
ASA Iphone, Ipad VPN client pre-shared key (PSK) special characters bug
I ran into this in a deployment of IPSec clients with apple ipad and iphone native vpn client. Here are details:
Cisco ASA 8.2.5 OS
Ipad, running 5.0.1
Iphone i4S, running OS 5.0.1
Special characters make your pre-shared key more secure, so i used a password generator app to make one that coincidently included a " (quotation mark). After configuring this PSK on a Ipad, i was unable to connect. I saw nothing in the ASA logs, indicating the Ipad didnt even try to connect.
The Ipad generated the following error message:
VPN Connection
A configuration error occured
OK Button
After searching for quite some time, i found this somewhat obscure reference to the bug:
http://blogs.oreilly.com/iphone/2008/07/strong-passwords-can-hurt.html
Special thx to this guy!
So i started to test special characters to see what would work, adding in 1 character at a time. Here is where I stopped:
pre-shared-key !@#$%^&*()_-+=;:'<>,.
These characters worked in the PSK. If you are curious, and want to play, have fun. I assume the alphnumerics will work since those are pretty standard.
As a side note, here are a few more interesting items:
1) The " (quote mark) does work when you run the real cisco vpn client. This was successful on a Windows 7 laptop with 5.X VPN Client.
2) The ? (question mark) doesnt work as well, but that is a little easier to figure out because when you configure it on the ASA, context-sensitive help kicks in and knocks you off the config line.
3) Iphone I4S suffers from the same issue - doesnt like quotes.
4) Android is probably not affected by this bug, but I tested on an open source TUN driver- enabled adroid - not the bionic.
Hope that saves someone some time, sometime!
WThanks for the tip.
Help stamp out special characters in passwords. Their "strength" is a myth!
Explained nicely here: http://xkcd.com/936/ -
I am currently using an ASA 5550 version 8.2 anwith ASDM version 6.2.
I have a ASA 5505 in remote area and cannot connect via VPN.
My logs say maybe mismatched pre-shared key.
On my 5550, via the ASDM I used the command more system:running-config and it will not show my pre shared key in plain text, only shows a *.
Any help would be appreciated.Remote asa:
interface Vlan1
nameif inside
security-level 100
ip address 10.200.1.209 255.255.255.240
interface Vlan2
nameif outside
security-level 0
ip address 172.25.62.226 255.255.255.248
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
interface Ethernet0/7
ftp mode passive
access-list nonat extended permit ip 10.200.1.208 255.255.255.240 10.199.1.0 255 .255.255.0
access-list nonat extended permit ip 10.200.1.208 255.255.255.240 10.10.144.0 25 5.255.252.0
access-list VPNL2L extended permit ip 10.200.1.208 255.255.255.240 10.199.1.0 25 5.255.255.0
access-list VPNL2L extended permit ip 10.200.1.208 255.255.255.240 10.10.144.0 2 55.255.252.0
access-list 100 extended permit tcp host 89.254.12.35 host 10.200.1.213 eq www
pager lines 24
mtu inside 1500
mtu outside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 172.25.62.225 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set mytrans esp-des esp-md5-hmac
crypto map mymap 10 match address VPNL2L
crypto map mymap 10 set peer 65.181.59.210
crypto map mymap 10 set transform-set mytrans
crypto map mymap 10 set security-association lifetime seconds 3600
crypto map mymap interface outside
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp nat-traversal 21
telnet timeout 5
ssh 10.199.1.0 255.255.255.0 inside
ssh 10.10.144.0 255.255.252.0 inside
ssh timeout 5
console timeout 0
tunnel-group 65.181.59.210 type ipsec-l2l
tunnel-group 65.181.59.210 ipsec-attributes
pre-shared-key *
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
service-policy global_policy global
prompt hostname context
Cryptochecksum:65a0d93601b90ccc07830cddd673e13c
: end
Local ASA:
ASA Version 8.2(1)
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 65.181.59.210 255.255.255.240
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.199.1.2 255.255.255.0
interface GigabitEthernet0/2
nameif insideNOV
security-level 100
ip address 10.10.144.47 255.255.252.0
interface GigabitEthernet0/3
shutdown
no nameif
security-level 100
no ip address
interface Management0/0
shutdown
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
interface GigabitEthernet1/0
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet1/1
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet1/2
shutdown
no nameif
no security-level
no ip address
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
no ip address
ftp mode passive
clock timezone MST -7
clock summer-time MDT recurring
dns server-group DefaultDNS
domain-name Rignet
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group service WML tcp
description Remote wits data access
port-object range 1 65535
access-list aclin extended permit object-group DM_INLINE_PROTOCOL_9 any host 65.181.59.219
access-list aclin extended permit object-group DM_INLINE_SERVICE_3 any host 65.181.59.216
access-list aclin extended permit object-group DM_INLINE_PROTOCOL_6 any host 65.181.59.220
access-list aclin extended permit object-group DM_INLINE_PROTOCOL_5 host 10.199.1.2 host 65.181.59.210
access-list aclin extended permit object-group DM_INLINE_SERVICE_1 any host 65.181.59.222
access-list no-nat remark Local Rules
access-list no-nat extended permit ip Rignet 255.255.255.0 10.10.144.0 255.255.252.0
access-list no-nat remark Local Rules
access-list no-nat extended permit ip 10.10.144.0 255.255.252.0 10.200.1.80 255.255.255.240
access-list no-nat extended permit ip Rignet 255.255.255.0 ENI 255.255.255.240
access-list no-nat extended permit ip 10.10.144.0 255.255.252.0 ENI 255.255.255.240
access-list no-nat extended permit ip Rignet 255.255.255.0 Norway_Office 255.255.255.240
access-list no-nat extended permit ip 10.10.144.0 255.255.252.0 Norway_Office 255.255.255.240
access-list no-nat extended permit ip Rignet 255.255.255.0 BobbyVPN 255.255.255.0
access-list no-nat extended permit ip 10.10.144.0 255.255.252.0 BobbyVPN 255.255.255.0
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit tcp any any
access-list inside_access_in extended permit icmp any any
access-list inside_access_in extended permit tcp interface inside any
access-list inside_access_in remark Block port 135 for port scanning
access-list inside_access_in extended deny 135 any any
access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_4 10.10.144.0 255.255.252.0 Rignet 255.255.255.0
access-list test extended permit icmp any any echo
access-list test extended permit icmp any any echo-reply
access-list InsideNOV_access_in extended permit ip 10.200.0.0 255.255.0.0 10.10.144.0 255.255.252.0
access-list InsideNOV_access_in extended permit object-group DM_INLINE_SERVICE_7 any any
access-list InsideNOV_access_in extended permit object-group DM_INLINE_SERVICE_4 Rignet 255.255.255.0 10.10.144.0 255.255.252.0
access-list InsideNOV_access_in extended permit object-group DM_INLINE_PROTOCOL_12 Norway_Office 255.255.255.240 10.10.144.0 255.255.252.0
access-list InsideNOV_access_in extended permit object-group DM_INLINE_PROTOCOL_8 BobbyVPN 255.255.255.0 10.10.144.0 255.255.252.0
access-list inside_acl extended permit object-group DM_INLINE_SERVICE_8 any any
access-list inside_acl extended permit object-group DM_INLINE_SERVICE_5 10.10.144.0 255.255.252.0 Rignet 255.255.255.0
access-list inside_acl extended permit object-group DM_INLINE_SERVICE_6 Rignet 255.255.255.0 10.10.144.0 255.255.252.0
access-list inside_acl extended permit object-group DM_INLINE_PROTOCOL_10 10.200.0.0 255.255.0.0 Rignet 255.255.255.0
access-list inside_acl extended deny object-group DM_INLINE_PROTOCOL_11 host 192.168.56.1 any
access-list inside_access_in_1 extended permit object-group DM_INLINE_PROTOCOL_1 any any
access-list inside_access_in_1 extended permit object-group DM_INLINE_PROTOCOL_2 10.10.144.0 255.255.252.0 Rignet 255.255.255.0
access-list inside_access_in_1 extended permit ip Rignet 255.255.255.0 Rignet 255.255.255.0
access-list inside_access_in_1 extended permit object-group DM_INLINE_PROTOCOL_7 BobbyVPN 255.255.255.0 Rignet 255.255.255.0
access-list inside_access_in_2 extended permit object-group DM_INLINE_SERVICE_11 Rignet 255.255.255.0 Rignet 255.255.255.0
pager lines 24
logging enable
logging asdm informational
no logging message 106015
no logging message 313001
no logging message 313008
no logging message 106023
no logging message 710003
no logging message 106100
no logging message 302015
no logging message 302014
no logging message 302013
no logging message 302018
no logging message 302017
no logging message 302016
no logging message 302021
no logging message 302020
mtu outside 1500
mtu inside 1500
mtu insideNOV 1500
mtu management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any insideNOV
icmp permit any echo-reply insideNOV
icmp permit any echo insideNOV
asdm image disk0:/asdm-621.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
global (inside) 2 65.181.57.51 netmask 255.255.255.255
nat (outside) 1 0.0.0.0 0.0.0.0
nat (inside) 0 access-list no-nat
nat (inside) 1 Rignet 255.255.255.0
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) 65.181.59.222 10.199.1.23 netmask 255.255.255.255
static (inside,outside) 65.181.59.219 10.199.1.27 netmask 255.255.255.255
static (inside,outside) 65.181.59.216 10.199.1.54 netmask 255.255.255.255
static (inside,outside) 65.181.59.220 10.199.1.26 netmask 255.255.255.255
access-group aclin in interface outside
access-group inside_access_in_1 in interface inside
access-group InsideNOV_access_in in interface insideNOV
route outside 0.0.0.0 0.0.0.0 65.181.59.209 1
route inside 153.15.156.217 255.255.255.255 65.181.57.51 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
aaa authorization command LOCAL
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
snmp-server enable traps ipsec stop
snmp-server enable traps entity config-change
sysopt connection tcpmss 1100
sysopt noproxyarp inside
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec transform-set mySET esp-des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map myDYN-MAP 5 set transform-set mySET
crypto dynamic-map myDYN-MAP 5 set security-association lifetime seconds 28800
crypto dynamic-map myDYN-MAP 5 set security-association lifetime kilobytes 4608000
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map myMAP 65000 ipsec-isakmp dynamic myDYN-MAP
crypto map myMAP interface outside
crypto ca trustpoint Intelliserv.rignet.local
enrollment terminal
subject-name CN=Rignet5550
keypair IntelliServ.rignet.local
crl configure
crypto ca trustpoint ASDM_TrustPoint3
crl configure
crypto ca trustpoint ASDM_TrustPoint0
enrollment terminal
subject-name CN=Rignet5550
password *
crl configure
crypto isakmp identity address
crypto isakmp enable outside
crypto isakmp policy 1
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp nat-traversal 21
telnet timeout 5
console timeout 0
management-access inside
no threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
group-policy DfltGrpPolicy attributes
vpn-tunnel-protocol IPSec l2tp-ipsec svc webvpn
group-policy myGROUP internal
group-policy myGROUP attributes
split-tunnel-policy tunnelspecified
nem enable
username GaileyB password 0oaTL6AGb4l6JKde encrypted privilege 15
username rignetadmin password 3R8hQCl0jw5iU/r3 encrypted privilege 15
tunnel-group DefaultL2LGroup ipsec-attributes
pre-shared-key *
tunnel-group mytunnel type remote-access
tunnel-group mytunnel general-attributes
default-group-policy myGROUP
tunnel-group mytunnel ipsec-attributes
pre-shared-key *
tunnel-group 164.85.0.18 type ipsec-l2l
tunnel-group 164.85.0.18 ipsec-attributes
peer-id-validate cert
chain
tunnel-group-map default-group DefaultL2LGroup
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
class class-default
service-policy global_policy global
prompt hostname context
Cryptochecksum:a84cff45794fa5021237d51d5f87461e
: end -
Hello there,
Does anyone know how to decode/extract the pre-shared keys for the tunnels using either: ASDM 603 or the CLI on PIX 5520?
Please shoot.
Thks.The easier solution is:
more system:running-config
You can find more detail here:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00807f2d37.shtml
And yes it should work on 8.x, I don't think this has changed.
Regards
Farrukh -
Crypto/pre-shared keys to crypto/pki worth doing?
Hi,
I have 10 VPN's that come into my ASA 5520, they all use pre-shared keys (and AES-256/sha), is it worth moving to pki instead?PKI provides customers with a scalable, secure mechanism for distributing, managing, and revoking encryption and identity information in a secured data network. Every entity (a person or a device) participating in the secured communications is enrolled in the PKI , a process where the entity generates a Rivest, Shamir, and Adelman (RSA) key pair (one private key and one public key) and has their identity validated by a trusted entity (also known as a CA or trustpoint).
-
Pre-shared key should be at least 256 bits of cryptographically random data
Hi all,
i need some info, i got a client IPSEC VPN form.
they asked that (Pre-shared key should be at least 256 bits of cryptographically random data)
what does that really mean?
Key consisting of 256 characters like abcdefg......till256 characters are done ?
or it means encryption we define in policy like
crypto isakmp policy 8
authentication pre-share
encryption aes-256 ????????
Please help me to understand this requirement for my cisco asa.64 hex characters = 256 binary bits
Michael
Please rate all helpful posts -
Ciscoworks LMS RME / ASA Firewall configuration pre-shared key savings
Does anybody know the concept about saving pre-shared by Ciscoworks LMS /RME ?
Is there a way to get the unencrypted values from Ciscoworks LMS /RME for an ASA Firewall ?
ASA config. saved with RME
pre-shared-key *
ASA config. saved to TFTP from ASA
pre-shared-key 1ZdmaKVwEkQ66nD37d9kA9fj9z75If you enable "shadow directory" (RME - Admin - Config Mgmt - Archive Mgmt - Archive Settings), you can find the raw configs in locations such as /var/adm/CSCOpx/files/rme/dcma/shadow/Security_and_VPN/PRIMARY on Solaris, or its Windows equivalent, after one requisite cycle of Periodic Polling and/or Periodic Collection. That's the same config one'd get saving to TFTP manually.
However, I don't recall how to unscramble the "asterisks" in the RME GUI, if at all possible. -
Pre-shared Key Off-line Bruteforcing Using IKE Aggressive Mode
Hi, I have 10 site-to-site VPN's, they consist of Cisco 837's and 877's. I run a security scan (Qualys vulnerability scanning) against the public IP of the routers and half of them come back with the vulnerability below. They are all using the latest IOS and all connect to a Cisco Concentrator.
Here is the vulnerability, that means nothing to me, is it anything to worry about, all pre-shared keys are 8 characters or more and have letters, numbers, and symbols and capital letters:
Pre-shared Key Off-line Bruteforcing Using IKE Aggressive Mode
THREAT:
IKE is used during Phase 1 and Phase 2 of establishing an IPSec connection. Phase 1 is where the two ISAKMP peers establish a secure, authenticated channel with which to communicate. Every participant in IKE must possess a key which may be either pre-shared (PSK) or a public key. There are inherent risks to configurations that use pre-shared keys which are exaggerated when Aggressive Mode is used.
IMPACT:
Using Aggressive Mode with pre-shared keys is the least secure option. In this particular scenario, it is possible for an attacker to gather all necessary information in order to mount an off-line dictionary (brute force) attack on the pre-shared keys. For more information about this type of attack, visit http://www.ima.umn.edu/~pliam/xauth/.
SOLUTION:
IKE Aggressive mode with pre-shared keys should be avoided where possible. Otherwise a strong pre-shared key should be chosen.
Note that this attack method has been known and discussed within the IETF IPSec Working Group. The risk was considered as acceptable. For more information on this, visit http://www.vpnc.org/ietf-ipsec/99.ipsec/thrd2.html#01451.The description of the vulnerability specifies IKE aggressive mode. So my first question would be whether you are using IKE in aggressive mode or in main mode? In my experience most router based site to site VPN use main mode (though aggressive mode is an option) while many Remote Access VPN use aggressive mode. So which mode are you using?
The second part of my response goes back to what I said in my earlier response. What kind of key are you using? How long is it and how strong is it? When you think about it any time we authenticate using shared keys there is some degree of vulnerability to brute force attack. The longer the key and the stronger the key the more you have mitigated the risk.
HTH
Rick
Maybe you are looking for
-
Table T169P: entry 1000 does not exist
Hi, While doing the Goods Receipt, against Purchase Order, the following error is coming: Table T169P: entry 1000 does not exist Please guide. Regards,
-
The Software Update log has: Tue Oct 22 03:01:16 XXX swupd_syncd[4534] <Error>: *** Product ID: "091-7360"; file URL: "http://swcdn.apple.com/content/downloads/35/57/091-7360/ise9pfxzzwi10qx4c2bygqf9llmcch6axd/JavaForMacOSX10.6.dst/091-7360.pt_PT.dis
-
Satellite L505D Turn off Touch Pad While Typing
This laptop is maddenning to post on forums with etc. because when typing I bump the mousepad and or one of the buttons and loose everything that I have typed. I don't think this is the original install of Windows7 via Toshiba because I cannot find
-
Hello Everyone, I have a G3 PowerPC 333Mhz (Lifesaver) 288ram I have an 80g HDD partioned twice. One: 7.84g for OS 10.3.9, the other 68 gigs with OS 9.2.2. The system works fine, but for some reason I cannot boot to OS 9. All I get is a white screen
-
Does any one have the user manual for the MS-6747?? If you do can you email it me Thanks.