have PIX with VPN, need to obtain isakmp key
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
|||||||||||||
|
Posted by on June 17, 2008, 3:13 pm
Please log in for more thread options possible we need to get the existing isakmp key from the PIX. The key which was used to secure the VPN. We have physical access to the PIX but when we run "show run" it only shows ******* as the isakmp VPN key. How can we get this info? We purchased a second PIX for a backup and we are going to put the existing config in place so we can have a spare. Thanks in advance for any help | |||||||||||||
|
Posted by on June 17, 2008, 3:25 pm
Please log in for more thread options Maybe if we use TFTP to copy the startup config to a server that will do it? On Jun 17, 3:13=A0pm, barret...@hotmail.com wrote: | |||||||||||||
|
Posted by on June 17, 2008, 4:10 pm
Please log in for more thread options I found the answer in the "write net" command. Thanks anyway for
thinking to help and read. On Jun 17, 3:25=A0pm, barret...@hotmail.com wrote: > I just checked and the PDM does not provide the unencrypted info.
> Maybe if we use TFTP to copy the startup config to a server that will > do it? > > On Jun 17, 3:13=A0pm, barret...@hotmail.com wrote: > > > > > Hello . We have a PIX 506e (6.3.5) and site to site VPN and if
> > possible we need to get the existing isakmp key from the PIX. The key > > which was used to secure the VPN. We have physical access to the =A0PIX > > but when we run "show run" it only shows ******* as the isakmp VPN > > key. How can we get this info? We purchased a second PIX for a backup > > and we are going to put the existing config in place so we can have a > > spare. =A0Thanks in advance for any help- Hide quoted text - >
> - Show quoted text - | |||||||||||||
|
Posted by News Reader on June 17, 2008, 5:02 pm
Please log in for more thread options barretech@hotmail.com wrote:
> I found the answer in the "write net" command. Thanks anyway for
> thinking to help and read. > > > > On Jun 17, 3:25 pm, barret...@hotmail.com wrote: >> I just checked and the PDM does not provide the unencrypted info.
>> Maybe if we use TFTP to copy the startup config to a server that will >> do it? >> >> On Jun 17, 3:13 pm, barret...@hotmail.com wrote: >> >> >> >>> Hello . We have a PIX 506e (6.3.5) and site to site VPN and if
>>> possible we need to get the existing isakmp key from the PIX. The key >>> which was used to secure the VPN. We have physical access to the PIX >>> but when we run "show run" it only shows ******* as the isakmp VPN >>> key. How can we get this info? We purchased a second PIX for a backup >>> and we are going to put the existing config in place so we can have a >>> spare. Thanks in advance for any help- Hide quoted text - >> - Show quoted text -
>
You've not clearly stated whether you are referring to the RSA keys used when "rsa-encr" is specified in ISAKMP policy, or whether you are referring to a pre-shared key. If you are referring to the RSA keys, I suspect the "private" key will NOT be stored in the configuration, and the pre-existing keys may not be exportable (you'd have to look into it). I don't think copying the configuration to your new device will create the swappable scenario you envision, unless you are referring to a pre-shared key. Hence, the need to be specific. Best Regards, News Reader | |||||||||||||
|
Posted by on June 18, 2008, 7:15 am
Please log in for more thread options Thanks for your time. As I posted previously, we got it.
It appears that the last time this was successfully done to create a backup PIX we had used the write net command, so we had the pre-shared key and the pre-shared VPN key on a different TFTP server. I just didn't have it handy here and didn't know how we got it out last time. To your point, I was writing of the line in the config that says "isakmp key ********" . That is the pre-shared key. I bet we don't use the RSA statement you mentioned since I see no reference to it anywhere. > barret...@hotmail.com wrote:
> > I found the answer in the "write net" command. Thanks anyway for
> > thinking to help and read. >
> > On Jun 17, 3:25 pm, barret...@hotmail.com wrote:
> >> I just checked and the PDM does not provide the unencrypted info.
> >> Maybe if we use TFTP to copy the startup config to a server that will > >> do it? >
> >> On Jun 17, 3:13 pm, barret...@hotmail.com wrote:
>
> >>> Hello . We have a PIX 506e (6.3.5) and site to site VPN and if
IX
> >>> possible we need to get the existing isakmp key from the PIX. The key > >>> which was used to secure the VPN. We have physical access to the =A0P= > >>> but when we run "show run" it only shows ******* as the isakmp VPN
> >>> key. How can we get this info? We purchased a second PIX for a backup > >>> and we are going to put the existing config in place so we can have a > >>> spare. =A0Thanks in advance for any help- Hide quoted text - > >> - Show quoted text - >
> You've not clearly stated whether you are referring to the RSA keys used > when "rsa-encr" is specified in ISAKMP policy, or whether you are > referring to a pre-shared key. > > If you are referring to the RSA keys, I suspect the "private" key will > NOT be stored in the configuration, and the pre-existing keys may not be > exportable (you'd have to look into it). > > I don't think copying the configuration to your new device will create > the swappable scenario you envision, unless you are referring to a > pre-shared key. > > Hence, the need to be specific. > > Best Regards, > News Reader- Hide quoted text - > > - Show quoted text - | |||||||||||||
> possible we need to get the existing isakmp key from the PIX. The key
> which was used to secure the VPN. We have physical access to the =A0PIX
> but when we run "show run" it only shows ******* as the isakmp VPN
> key. How can we get this info? We purchased a second PIX for a backup
> and we are going to put the existing config in place so we can have a
> spare. =A0Thanks in advance for any help