This is a problematic issue, in that if download or send the cfg via unsecured channels without any redaction, any 3rd party has access to the in the clear PSK which should be private and confidential.
Cisco has offer a feature to encrypt the PSK in any IOS running advance security start around 12.4 iirc.
e.g
B4 enabling encryption the PSK would be;
pre-shared-key address 192.0.2.1 key mypasswordintheclear
pre-shared-key address 192.0.2.2 key mypasswordintheclear
And after;
pre-shared-key address 192.0.2.1 key 6 A_XHDqUae_PAOPCUQUlDoNcPiKhEcE[
pre-shared-key address 192.0.2.2 key 6 BDLJbF`SXINVWObsgP]UGWgQeJBPIA
The later is considered secured with AES and this one hash is not recoverable.
The means to do this are the following ios config lines;
config term
key config-key password-enc mykeyhere
password encryption aes
end
Now key points to take away;
- this hash type 6 is not recoverable
- if you forget what your PSK is and nor can the far-end confirm your left with no choice but to re-key a new PSK
config t
no key config-key password-encrypt
WARNING: All type 6 encrypted keys will become unusable
Continue with master key deletion ? [yes/no]: yes
I hope you find this TIP useful , and we should always change the vpn PSK on a regular cycle imho.
Ken Felix
Freelance Network/Security Engineer
kfelix -------at----- hyperfeed -------dot----com
^ ^
= ( @ @ ) =
o
~
No comments:
Post a Comment