Hello . We have a PIX 506e (6.3.5) and site to site VPN and if possible we need to get the existing isakmp key from the PIX. The key which was used to secure the VPN. We have physical access to the PIX but when we run "show run" it only shows ******* as the isakmp VPN key. How can we get this info? We purchased a second PIX for a backup and we are going to put the existing config in place so we can have a spare. Thanks in advance for any help
I found the answer in the "write net" command. Thanks anyway for thinking to help and read.
You've not clearly stated whether you are referring to the RSA keys used when "rsa-encr" is specified in ISAKMP policy, or whether you are referring to a pre-shared key.
If you are referring to the RSA keys, I suspect the "private" key will NOT be stored in the configuration, and the pre-existing keys may not be exportable (you'd have to look into it).
I don't think copying the configuration to your new device will create the swappable scenario you envision, unless you are referring to a pre-shared key.
Hence, the need to be specific.
Best Regards, News Reader
Thanks for your time. As I posted previously, we got it.
It appears that the last time this was successfully done to create a backup PIX we had used the write net command, so we had the pre-shared key and the pre-shared VPN key on a different TFTP server. I just didn't have it handy here and didn't know how we got it out last time.
To your point, I was writing of the line in the config that says "isakmp key ********" . That is the pre-shared key.
I bet we don't use the RSA statement you mentioned since I see no reference to it anywhere.
I know it is slightly irrelevant now the OP has the info he was after, but I have recently used:
more system:running-config
to display keys in clear-text. Admittedly, it was an ASA running v7 OS so I don't know if it will work on a PIX506 & I don't currently have access to test.
HTH.
On pix 6.x releases it seems to not work, at least 6.3(5). Bye, Tosh.
Yeah, that command is ASA-specific. One of the greatest improvements ever. Thanks for mentioning it. Good info.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.