Cisco Pre Shared Key Generator
How to generate secure pre-shared keys (PSK) for an IPSec VPN I build VPNs regularly, and one of the problems that comes up regularly is how to exchange PSK's. Some people are happy to exchange them over email, and others not (particularly because of ISO/IEC 27002).
Objective
Internet Protocol Security (IPSec) is used to protect communications through the encryption of IP packets during a communication session. IPSec is also an internet protocol used to establish mutual authentication between two endpoints at the beginning of a communication session and negotiation of cryptographic keys during session. Virtual Private Network (VPN) is a private network that allows the transmission of information between two PCs across the network. VPN establishes a high level of security on the private network through the use of encryption.
This document shows the configuration of the IPSec VPN with IKE Preshared Key and Manual Key on a WRVS4400N router.
Feb 08, 2013 There are a couple ways to retrieve a pre-shared key for a Cisco IPSEC VPN. The easiest way is to actually get it from the running config on the ASA. Unfortunately using a show run will only give you asterisks for the PSK, but you can use this command to. IPsec Pre-Shared Key Generator. PSK Generator provides a secure process to negotiate a 64-byte IPsec Pre-Shared Key (also known as a Shared Secret or PSK) through insecure means, such as email. Note: This page uses client side javascript. It does not transmit any entered or calculated information. Learn more about this PSK Generator. Or you can use serial numbers, MAC addresses, or you could call each other and exchange two colours, favourite sports teams, etc. Note that whatever one party enters as 'Key 1' the other party must enter as 'Key 1', and whatever one party enters as 'Key 2' the other party must also enter as 'Key 2'.
Applicable Devices
• WRVS4400N
Software Version
• v2.0.2.1
Configuration of IPSec VPN Setup
Step 1. Log into the web configuration utility page and choose VPN > IPSec VPN. The IPSec VPN page opens:
Step 2. Choose an option from the Keying Mode drop-down list.
• IKE with Preshared Key — If you select IKE with Preshared key the automatic key management protocols are used to negotiate key material for SA (Security Association).
• Manual — If you select Manual Key Management no key negotiation is needed. The Manual key is usually used for small environments or for troubleshooting purposes.
Note: Both sides of the VPN Tunnel must use the same key management method.
IPSec VPN Setup with IKE Preshared Key
Step 1. Choose IKE with Preshared Key from the drop-down list of the Keying Mode field.
In the Phase 1 area,
Step 2. Choose 3DES in the Encryption field. The Encryption method determines the length of the key used to encrypt/decrypt ESP packets. Only 3DES is supported.
Note: Both sides of the VPN Tunnel must use the same Encryption method.
Step 3. Choose an option from the Authentication drop-down list. Authentication determines a method to authenticate ESP Packets. The user can choose MD5 or SHA1 from the drop-down list.
• MD5 — A one-way hashing algorithm that produces a 128-bit digest. This is not as secure as SHA1 because it is a broken one-way has algorithm.
• SHA1 — A one-way hashing algorithm that produces a 160-bit digest. This is a more secure has algorithm but is not as fast as MD5.
Note: Both sides of the VPN endpoints must use the same Authentication method.
Step 4. Choose an option from the Group drop-down list. The Diffie-Hellman (DH) group is used for key exchange.
•768-bit (Group 1) algorithm — This group provides the least level of security and specifies the IPSec to use 768-bit for DH key exchange
•1024-bit (Group 2) algorithm — This group specifies the IPSec to use for 1024-bit for DH key exchange.
•1536-bit (Group 5) algorithm — This group provides the highest level of security to the network and specifies the IPSec to use 1536-bit for DH key exchange.
Note: Group 5 provides the most security whereas the Group 1 the least security.
Step 5. Enter the lifetime (in seconds) of the IKE generated key in the Key LifeTime. When the time expires, a new key will be renegotiated automatically. The Key Lifetime ranges from 1081 to 86400 seconds. The default value for Phase 1 is 28800 seconds.
In the Phase 2 area,
Step 6. Choose 3EDS in the Encryption field. The Encryption method determines the length of the key used to encrypt/decrypt ESP packets, Only 3DES is supported
Note: Both sides of the VPN Tunnel must use the same Encryption method.
Step 7. Choose an option from the Authentication drop-down list. Authentication determines a method to authenticate ESP Packets. The user can choose MD5 or SHA1 from the drop-down list.
• MD5 — A one-way hashing algorithm that produces a 128-bit digest. This is not as secure as SHA1 because it is a broken one-way hash algorithm.
• SHA1 — A one-way hashing algorithm that produces a 160-bit digest. This is a more secure has algorithm but is not as fast as MD5.
Note: Both sides of the VPN endpoints must use the same Authentication method.
Step 8. Choose an option from the Prefect Forward Secrecy (PFS) drop-down list.
• Enabled — If PFS is enabled, IKE Phase 2 negotiation will generate a new key material for IP traffic encryption and authentication.
• Disabled —If PFS is disabled, IKE Phase 2 negotiation will not generate a new key material for IP traffic encryption and authentication.
Note: Both sides must have selected the same PFS.
Step 9. Enter the character and hexadecimal value that specifies a key used to authenticate IP traffic in the Preshared Key field.
Step 10. Choose an option from the Group drop-down list.The Diffie-Hellman (DH) group to be used for key exchange.
•768-bit (Group 1) algorithm — This group provides the least level of security and specifies the IPSec to use 768-bit for DH key exchange
•1024-bit (Group 2) algorithm — This group specifies the IPSec to use for 1024-bit for DH key exchange.
•1536-bit (Group 5) algorithm — This group provides the highest level of security to the network and specifies the IPSec to use 1536-bit for DH key exchange.
Note: Group 5 provides the most security whereas the Group 1 the least security.
Step 11. Enter the lifetime (in seconds) of the IKE generated key in the Key LifeTime. If time expires,a new key will be renegotiated automatically. The Key Lifetime ranges from 1081 to 86400 seconds. The default value for Phase 2 is 3600 seconds.
Step 12. Click the Save to save set up.
IPSec VPN Setup with Manual Key
In the IPSec Setup area,
Step 1. Choose the Manual key from the drop-down list of the Keying Mode field.
In the Phase 1 area,
Step 2. Choose 3DES in the Encryption field. The Encryption method determines the length of the key used to encrypt/decrypt ESP packets,Only 3DES is supported.
Note: Both sides of the VPN Tunnel must use the same Encryption method.
Windows Vista was introduced after Windows XP, and before the update of Windows 7.
Step 3. Choose an option from the Authentication drop-down list. Authentication determines a method to authenticate ESP Packets. The user can choose MD5 or SHA1 from the drop-down list.
•MD5 — A one-way hashing algorithm that produces a 128-bit digest.
•SHA1 — A one-way hashing algorithm that produces a 160-bit digest.
Note: Both sides of the VPN endpoints must use the same Authentication method.
Step 4. Choose an option from the Group drop-down list. The Diffie-Hellman (DH) group is used for key exchange.
•768-bit (Group 1) algorithm — This group provides the least level of security and specifies the IPSec to use 768-bit for DH key exchange
•1024-bit (Group 2) algorithm — This group specifies the IPSec to use for 1024-bit for DH key exchange.
•1536-bit (Group 5) algorithm — This group provides the highest level of security to the network and specifies the IPSec to use 1536-bit for DH key exchange.
Note: Group 5 provides the most security whereas the Group 1 the least security.
Step 5. Enter the lifetime (in seconds) of the IKE generated key in the Key LifeTime. If time expires, a new key will be renegotiated automatically. The Key Lifetime range from 1081 to 86400 seconds. The default value for Phase 1 is 28800 seconds.
In the Phase 2 area,
Step 6. Choose 3EDS in the Encryption Algorithm field. The Encryption method determines the length of the key used to encrypt/decrypt ESP packets, Only 3DES is supported
Note: Both sides of the VPN Tunnel must use the same Encryption method.
Step 7. Enter the encryption key in the Encryption Key field. Since Encryption Algorithm is 3DES enter 24 ASCII Characters as key in the Encryption Key field.
Step 8. Choose an option from the Authentication Algorithm drop-down list. Authentication determines a method to authenticate ESP Packets. The user can choose MD5 or SHA1 from the drop-down list.
• MD5 — A one-way hashing algorithm that produces a 128-bit digest.
•SHA1 — A one-way hashing algorithm that produces a 160-bit digest.
Step 9. Enter the authentication key in the Authentication Key field. If MD5 algorithm was chosen in authentication algorithm field enter 16 ASCII characters as key, otherwise if SHA1 algorithm was chosen enter 20 ASCII characters as authentication key.
Step 10. Enter the inbound SPI (Security Parameter Index) in the Inbound SPI field.
Step 11. Enter the outbound SPI (Security Parameter Index) in the Inbound SPI field.
The SPI (Security Parameter Index) is carried in the ESP(Encapsulating Security Payload) header. This enables the receiver to select the SA, under which a packet should be processed. The SPI is a 32-bit value. Both decimal and hexadecimal values are acceptable. Each tunnel must have unique an Inbound SPI and Outbound SPI. No two tunnels share the same SPI.
Step 12. Enter the outbound SPI (Security Parameter Index) in the Inbound SPI field.
Note: The Inbound SPI should match with the router Outbound SPI, and vice verse.
Step 13. Click the Save to save set up.
Cisco Pre Shared Key Generator Download
IPSec VPN Status
Step 1. Log in to the web configuration utility, choose VPN > IPSec VPN. The IPSec VPN page opens:
Note: Please make sure a VPN Tunnel is created. Refer to article IPSec VPN Local and Remote Group Setup on WRVS4400N Router on how to do this.
Step 2. Click Advanced. It displays two more options.
• Aggressive mode — Aggressive Mode squeezes the IKE SA negotiation into three packets, with all data required for the SA passed by the initiator. The responder sends the proposal, key material and ID, and authenticates the session in the next packet. The initiator replies by authenticating the session. Negotiation is quicker, and the initiator and responder ID pass in the clear.
• NetBios Broadcast — NetBIOS broadcasts a Name Query packet to the local network on UDP port 137. Every computer on the local subnet processes the broadcast packet. If a computer on the network is configured for the NetBIOS over TCP/IP (NetBT) protocol, the NetBIOS module in the computer receives the broadcast.
Step 3. Click the desired button.
• Connect — Establishes the connection for the current VPN tunnel.
• Disconnect — Breaks the connection for the current VPN tunnel.
• View Log — It displays VPN logs and the details of each tunnel established.
Step 4. Click Save, to save all the changes.
Contents
Introduction
Cisco IOS® Software Release 12.3(2)T code introduces the functionality that allows the router to encrypt the ISAKMP pre-shared key in secure type 6 format in nonvolatile RAM (NVRAM). The pre-shared key to be encrypted can be configured either as standard, under an ISAKMP key ring, in aggressive mode, or as the group password under an EzVPN server or client setup. This sample configuration details how to set up encryption of both existing and new pre-shared keys.
Prerequisites
Requirements
There are no specific requirements for this document.
Components Used
The information in this document is based on this software version:
Cisco IOS Software Release 12.3(2)T
The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.
Conventions
Refer to the Cisco Technical Tips Conventions for more information on document conventions.
Configure
This section presents you with the information you can use to configure the features this document describes.
Note: Use the Command Lookup Tool (registered customers only) to obtain more information on the commands used in this section.
These two new commands are introduced in order to enable pre-shared key encryption:
key config-key password-encryption [master key]
password encryption aes
The [master key] is the password/key used to encrypt all other keys in the router configuration with the use of an Advance Encryption Standard (AES) symmetric cipher. The master key is not stored in the router configuration and cannot be seen or obtained in any way while connected to the router.
Once configured, the master key is used to encrypt any existing or new keys in the router configuration. If the [master key] is not specified on the command line, the router prompts the user to enter the key and to re-enter it for verification. If a key already exists, the user is prompted to enter the old key first. Keys are not encrypted until you issue the password encryption aes command.
The master key can be changed (although this should not be necessary unless the key has become compromised in some way) by issuing the key config-key.. command again with the new [master-key]. Java generate key pair from string. Any existing encrypted keys in the router configuration are re-encrypted with the new key.
You can delete the master key when you issue the no key config-key... However, this renders all currently configured keys in the router configuration useless (a warning message displays that details this and confirms the master key deletion). Since the master key no longer exists, the type 6 passwords cannot be unencrypted and used by the router.
Note: For security reasons, neither the removal of the master key, nor the removal of the password encryption aes command unencrypts the passwords in the router configuration. Once passwords are encrypted, they are not unencrypted. Existing encrypted keys in the configuration are still able to be unencrypted provided the master key is not removed.
Additionally, in order to see debug-type messages of password encryption functions, use the password logging command in configuration mode.
Configurations
This document uses these configurations on the router:
| Encrypt the Existing Pre-shared Key |
|---|
| Add a New Master Key Interactively |
|---|
| Modify the Existing Master Key Interactively |
|---|
| Delete the Master Key |
|---|
Verify
There is currently no verification procedure available for this configuration.
Troubleshoot
Cisco Pre Shared Key Generator Free
There is currently no specific troubleshooting information available for this configuration.