have PIX with VPN, need to obtain isakmp key

Discussion in 'Cisco' started by barretech@hotmail.com, Jun 17, 2008.

  1. Guest

    Hello . We have a PIX 506e (6.3.5) and site to site VPN and if
    possible we need to get the existing isakmp key from the PIX. The key
    which was used to secure the VPN. We have physical access to the PIX
    but when we run "show run" it only shows ******* as the isakmp VPN
    key. How can we get this info? We purchased a second PIX for a backup
    and we are going to put the existing config in place so we can have a
    spare. Thanks in advance for any help
     
    , Jun 17, 2008
    #1
    1. Advertising

  2. Guest

    I just checked and the PDM does not provide the unencrypted info.
    Maybe if we use TFTP to copy the startup config to a server that will
    do it?

    On Jun 17, 3:13 pm, wrote:
    > Hello . We have a PIX 506e (6.3.5) and site to site VPN and if
    > possible we need to get the existing isakmp key from the PIX. The key
    > which was used to secure the VPN. We have physical access to the  PIX
    > but when we run "show run" it only shows ******* as the isakmp VPN
    > key. How can we get this info? We purchased a second PIX for a backup
    > and we are going to put the existing config in place so we can have a
    > spare.  Thanks in advance for any help
     
    , Jun 17, 2008
    #2
    1. Advertising

  3. Guest

    I found the answer in the "write net" command. Thanks anyway for
    thinking to help and read.



    On Jun 17, 3:25 pm, wrote:
    > I just checked and the PDM does not provide the unencrypted info.
    > Maybe if we use TFTP to copy the startup config to a server that will
    > do it?
    >
    > On Jun 17, 3:13 pm, wrote:
    >
    >
    >
    > > Hello . We have a PIX 506e (6.3.5) and site to site VPN and if
    > > possible we need to get the existing isakmp key from the PIX. The key
    > > which was used to secure the VPN. We have physical access to the  PIX
    > > but when we run "show run" it only shows ******* as the isakmp VPN
    > > key. How can we get this info? We purchased a second PIX for a backup
    > > and we are going to put the existing config in place so we can have a
    > > spare.  Thanks in advance for any help- Hide quoted text -

    >
    > - Show quoted text -
     
    , Jun 17, 2008
    #3
  4. News Reader Guest

    wrote:
    > I found the answer in the "write net" command. Thanks anyway for
    > thinking to help and read.
    >
    >
    >
    > On Jun 17, 3:25 pm, wrote:
    >> I just checked and the PDM does not provide the unencrypted info.
    >> Maybe if we use TFTP to copy the startup config to a server that will
    >> do it?
    >>
    >> On Jun 17, 3:13 pm, wrote:
    >>
    >>
    >>
    >>> Hello . We have a PIX 506e (6.3.5) and site to site VPN and if
    >>> possible we need to get the existing isakmp key from the PIX. The key
    >>> which was used to secure the VPN. We have physical access to the PIX
    >>> but when we run "show run" it only shows ******* as the isakmp VPN
    >>> key. How can we get this info? We purchased a second PIX for a backup
    >>> and we are going to put the existing config in place so we can have a
    >>> spare. Thanks in advance for any help- Hide quoted text -

    >> - Show quoted text -

    >


    You've not clearly stated whether you are referring to the RSA keys used
    when "rsa-encr" is specified in ISAKMP policy, or whether you are
    referring to a pre-shared key.

    If you are referring to the RSA keys, I suspect the "private" key will
    NOT be stored in the configuration, and the pre-existing keys may not be
    exportable (you'd have to look into it).

    I don't think copying the configuration to your new device will create
    the swappable scenario you envision, unless you are referring to a
    pre-shared key.

    Hence, the need to be specific.

    Best Regards,
    News Reader
     
    News Reader, Jun 17, 2008
    #4
  5. Guest

    Thanks for your time. As I posted previously, we got it.

    It appears that the last time this was successfully done to create a
    backup PIX we had used the write net command, so we had the pre-shared
    key and the pre-shared VPN key on a different TFTP server. I just
    didn't have it handy here and didn't know how we got it out last
    time.

    To your point, I was writing of the line in the config that says
    "isakmp key ********" . That is the pre-shared key.

    I bet we don't use the RSA statement you mentioned since I see no
    reference to it anywhere.



    On Jun 17, 5:02 pm, News Reader <> wrote:
    > wrote:
    > > I found the answer in the "write net" command. Thanks anyway for
    > > thinking to help and read.

    >
    > > On Jun 17, 3:25 pm, wrote:
    > >> I just checked and the PDM does not provide the unencrypted info.
    > >> Maybe if we use TFTP to copy the startup config to a server that will
    > >> do it?

    >
    > >> On Jun 17, 3:13 pm, wrote:

    >
    > >>> Hello . We have a PIX 506e (6.3.5) and site to site VPN and if
    > >>> possible we need to get the existing isakmp key from the PIX. The key
    > >>> which was used to secure the VPN. We have physical access to the  PIX
    > >>> but when we run "show run" it only shows ******* as the isakmp VPN
    > >>> key. How can we get this info? We purchased a second PIX for a backup
    > >>> and we are going to put the existing config in place so we can have a
    > >>> spare.  Thanks in advance for any help- Hide quoted text -
    > >> - Show quoted text -

    >
    > You've not clearly stated whether you are referring to the RSA keys used
    > when "rsa-encr" is specified in ISAKMP policy, or whether you are
    > referring to a pre-shared key.
    >
    > If you are referring to the RSA keys, I suspect the "private" key will
    > NOT be stored in the configuration, and the pre-existing keys may not be
    > exportable (you'd have to look into it).
    >
    > I don't think copying the configuration to your new device will create
    > the swappable scenario you envision, unless you are referring to a
    > pre-shared key.
    >
    > Hence, the need to be specific.
    >
    > Best Regards,
    > News Reader- Hide quoted text -
    >
    > - Show quoted text -
     
    , Jun 18, 2008
    #5
  6. Al Guest

    On Jun 18, 12:15 pm, wrote:
    > Thanks for your time. As I posted previously, we got it.
    >
    > It appears that the last time this was successfully done to create a
    > backup PIX we had used the write net command, so we had the pre-shared
    > key and the pre-shared VPN key on a different TFTP server. I just
    > didn't have it handy here and didn't know how we got it out last
    > time.
    >
    > To your point, I was writing of the line in the config that says
    > "isakmp key ********" . That is the pre-shared key.
    >
    > I bet we don't use the RSA statement you mentioned since I see no
    > reference to it anywhere.
    >
    > On Jun 17, 5:02 pm, News Reader <> wrote:
    >
    > > wrote:
    > > > I found the answer in the "write net" command. Thanks anyway for
    > > > thinking to help and read.

    >
    > > > On Jun 17, 3:25 pm, wrote:
    > > >> I just checked and the PDM does not provide the unencrypted info.
    > > >> Maybe if we use TFTP to copy the startup config to a server that will
    > > >> do it?

    >
    > > >> On Jun 17, 3:13 pm, wrote:

    >
    > > >>> Hello . We have a PIX 506e (6.3.5) and site to site VPN and if
    > > >>> possible we need to get the existing isakmp key from the PIX. The key
    > > >>> which was used to secure the VPN. We have physical access to the PIX
    > > >>> but when we run "show run" it only shows ******* as the isakmp VPN
    > > >>> key. How can we get this info? We purchased a second PIX for a backup
    > > >>> and we are going to put the existing config in place so we can have a
    > > >>> spare. Thanks in advance for any help- Hide quoted text -
    > > >> - Show quoted text -

    >
    > > You've not clearly stated whether you are referring to the RSA keys used
    > > when "rsa-encr" is specified in ISAKMP policy, or whether you are
    > > referring to a pre-shared key.

    >
    > > If you are referring to the RSA keys, I suspect the "private" key will
    > > NOT be stored in the configuration, and the pre-existing keys may not be
    > > exportable (you'd have to look into it).

    >
    > > I don't think copying the configuration to your new device will create
    > > the swappable scenario you envision, unless you are referring to a
    > > pre-shared key.

    >
    > > Hence, the need to be specific.

    >
    > > Best Regards,
    > > News Reader- Hide quoted text -

    >
    > > - Show quoted text -


    I know it is slightly irrelevant now the OP has the info he was after,
    but I have recently used:

    more system:running-config

    to display keys in clear-text. Admittedly, it was an ASA running v7 OS
    so I don't know if it will work on a PIX506 & I don't currently have
    access to test.

    HTH.
     
    Al, Jun 19, 2008
    #6
  7. Guest

    On Jun 20, 12:42 am, "Tosh" <> wrote:
    > > more system:running-config

    >
    > On pix 6.x releases it seems to not work, at least 6.3(5).
    > Bye,
    >        Tosh.



    Yeah, that command is ASA-specific. One of the greatest improvements
    ever. Thanks for mentioning it. Good info.
     
    , Jul 10, 2008
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Michael Gross

    Display real "isakmp key" on PIX 6.3

    Michael Gross, May 10, 2004, in forum: Cisco
    Replies:
    3
    Views:
    6,885
    Henrik Christensen
    May 24, 2004
  2. Tim Schultz

    ISAKMP key for dynamic VPN Client

    Tim Schultz, May 19, 2004, in forum: Cisco
    Replies:
    6
    Views:
    2,950
    Tim Schultz
    May 19, 2004
  3. Alain Banneux

    isakmp key lenght

    Alain Banneux, Jul 2, 2005, in forum: Cisco
    Replies:
    2
    Views:
    566
    Nicolas Delcourt
    Jul 3, 2005
  4. Benjamin
    Replies:
    0
    Views:
    547
    Benjamin
    Jul 30, 2007
  5. boxers999
    Replies:
    1
    Views:
    1,286
    boxers999
    Jan 10, 2008
Loading...

Share This Page