How to Configure an Encrypted Preshared Key
Configuring Preshared Keys
Note |
Preshared keys do not scale well with a growing network.
|
enable
configure terminal
crypto isakmp identity address
crypto isakmp key sharedkeystring address 192.168.1.33 no-xauth
crypto isakmp key sharedkeystring address 10.0.0.1
end
Troubleshooting Tips
If you see the warning message “ciphertext >[for username bar>] is incompatible with the configured master key,” you have entered or cut and pasted cipher text that does not match the master key or there is no master key. (The cipher text will be accepted or saved.) The warning message will allow you to locate the broken configuration line or lines.
Monitoring Encrypted Preshared Keys
enable
configure terminal
password logging
end
Router (config)# key config-key password-encrypt
New key:
Confirm key:
Router (config)#
01:40:57: TYPE6_PASS: New Master key configured, encrypting the keys with
the new master keypas
Router (config)# key config-key password-encrypt
Old key:
New key:
Confirm key:
Router (config)#
01:42:11: TYPE6_PASS: Master key change heralded, re-encrypting the keys
with the new master key
01:42:11: TYPE6_PASS: Mac verification successful
01:42:11: TYPE6_PASS: Mac verification successful
01:42:11: TYPE6_PASS: Mac verification successful
Configuring ISAKMP Preshared Key
enable
configure terminal
crypto isakmp key cisco address 10.2.3.4
crypto isakmp key mykey hostname mydomain.com
end
Configuring ISAKMP Preshared Key in ISAKMP Keyrings
enable
configure terminal
crypto keyring mykeyring
pre-shared-key address 10.2.3.5 key cisco
pre-shared-key hostname mydomain.com key cisco
end
Configuring ISAKMP Aggressive Mode
enable
configure terminal
isakmp peer ip-address 10.2.3.4
set aggressive-mode client-endpoint fqdn cisco.com
set aggressive-mode password cisco
end