One of the ways to configure authentication between two Cisco ASA firewalls having a site-to-site IPSec VPN tunnel between them is to configure a pre-shared key under the tunnel group attributes. This is actually the most common implementation of IPSEC lan-to-lan authentication that you will find in most real life networks.
The pre-shared key must be the same on both IPSEC VPN devices between which the secure tunnel is created. To configure the pre-shared key on a Cisco ASA:
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key key123
Now, after configuring the pre-shared key, it is stored as encrypted hash on the ASA appliance and therefore when you view the running configuration (show run) you don’t see the actual clear text key anymore (i.e instead of “key123” you will see “*”).
Ciscoasa# show run
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key *
The problem arises when you forget the pre-shared key after a few months and you want to change one of the VPN tunnels. This situation happened to me recently when I had to change the public IP address on one of the ASA sites which had a Lan-to-Lan tunnel with a second ASA. Therefore I had to reconfigure the tunnel group and re-enter the old pre-shared key. However, I did not have it stored in clear text anywhere. The way to recover the pre-shared key is actually simple. Use the more system:running-config command. This command shows the pre-shared key in clear text format:
Ciscoasa# more system:running-config
…..
…..
tunnel-group 1.1.1.1 ipsec-attributes
pre-shared-key key123
Related Posts
- What is Cisco ASA Firewall – All you need to Know
- Traffic Rate and Bandwidth Limiting on Cisco ASA Firewall
- Cisco ASA Firewall (5500 and 5500-X) Security Levels Explained
- Cisco ASA 5505-5510-5520-5540-5550-5580 Performance Throughput and Specs
- Password Recovery for the Cisco ASA 5500 Firewall (5505,5510,5520 etc)