have PIX with VPN, need to obtain isakmp key

NewsGroups | Search | Tools

User Password

Lost Password?

comp.dcom.sys.cisco

get this group's latest topics as an RSS feed

add this group's latest topics to your My MSN content

add this group's latest topics to your My Yahoo content

add this group's latest topics to your Google content

Yahoo!

Google

Windows Live

del.icio.us digg

digg

Netscape

Subject

Author

Date

have PIX with VPN, need to obtain isakmp key

barretech

06-17-2008

Re: have PIX with VPN, need to obtain isakmp key

barretech

06-17-2008

Posted by on June 17, 2008, 3:13 pm

If you were Registered and logged in, you could reply and use other advanced thread options

Hello . We have a PIX 506e (6.3.5) and site to site VPN and if
possible we need to get the existing isakmp key from the PIX. The key
which was used to secure the VPN. We have physical access to the PIX
but when we run "show run" it only shows ******* as the isakmp VPN
key. How can we get this info? We purchased a second PIX for a backup
and we are going to put the existing config in place so we can have a
spare. Thanks in advance for any help

Network Magic 20% Off NMEASY coupon code spring banner 468x60

Posted by on June 17, 2008, 3:25 pm

If you were Registered and logged in, you could reply and use other advanced thread options

I just checked and the PDM does not provide the unencrypted info.
Maybe if we use TFTP to copy the startup config to a server that will
do it?

On Jun 17, 3:13=A0pm, barret...@hotmail.com wrote:

> Hello . We have a PIX 506e (6.3.5) and site to site VPN and if

> possible we need to get the existing isakmp key from the PIX. The key

> which was used to secure the VPN. We have physical access to the =A0PIX

> but when we run "show run" it only shows ******* as the isakmp VPN

> key. How can we get this info? We purchased a second PIX for a backup

> and we are going to put the existing config in place so we can have a

> spare. =A0Thanks in advance for any help

Posted by on June 17, 2008, 4:10 pm

If you were Registered and logged in, you could reply and use other advanced thread options

I found the answer in the "write net" command. Thanks anyway for
thinking to help and read.

On Jun 17, 3:25=A0pm, barret...@hotmail.com wrote:

> I just checked and the PDM does not provide the unencrypted info.

> Maybe if we use TFTP to copy the startup config to a server that will

> do it?

> On Jun 17, 3:13=A0pm, barret...@hotmail.com wrote:

> > Hello . We have a PIX 506e (6.3.5) and site to site VPN and if

> > possible we need to get the existing isakmp key from the PIX. The key

> > which was used to secure the VPN. We have physical access to the =A0PIX

> > but when we run "show run" it only shows ******* as the isakmp VPN

> > key. How can we get this info? We purchased a second PIX for a backup

> > and we are going to put the existing config in place so we can have a

> > spare. =A0Thanks in advance for any help- Hide quoted text -

> - Show quoted text -

Posted by News Reader on June 17, 2008, 5:02 pm

If you were Registered and logged in, you could reply and use other advanced thread options

barretech@hotmail.com wrote:

> I found the answer in the "write net" command. Thanks anyway for

> thinking to help and read.

> On Jun 17, 3:25 pm, barret...@hotmail.com wrote:

>> I just checked and the PDM does not provide the unencrypted info.

>> Maybe if we use TFTP to copy the startup config to a server that will

>> do it?

>> On Jun 17, 3:13 pm, barret...@hotmail.com wrote:

>>> Hello . We have a PIX 506e (6.3.5) and site to site VPN and if

>>> possible we need to get the existing isakmp key from the PIX. The key

>>> which was used to secure the VPN. We have physical access to the PIX

>>> but when we run "show run" it only shows ******* as the isakmp VPN

>>> key. How can we get this info? We purchased a second PIX for a backup

>>> and we are going to put the existing config in place so we can have a

>>> spare. Thanks in advance for any help- Hide quoted text -

>> - Show quoted text -

You've not clearly stated whether you are referring to the RSA keys used
when "rsa-encr" is specified in ISAKMP policy, or whether you are
referring to a pre-shared key.

If you are referring to the RSA keys, I suspect the "private" key will
NOT be stored in the configuration, and the pre-existing keys may not be
exportable (you'd have to look into it).

I don't think copying the configuration to your new device will create
the swappable scenario you envision, unless you are referring to a
pre-shared key.

Hence, the need to be specific.

Best Regards,
News Reader

Posted by on June 18, 2008, 7:15 am

If you were Registered and logged in, you could reply and use other advanced thread options

Thanks for your time. As I posted previously, we got it.

It appears that the last time this was successfully done to create a
backup PIX we had used the write net command, so we had the pre-shared
key and the pre-shared VPN key on a different TFTP server. I just
didn't have it handy here and didn't know how we got it out last
time.

To your point, I was writing of the line in the config that says
"isakmp key ********" . That is the pre-shared key.

I bet we don't use the RSA statement you mentioned since I see no
reference to it anywhere.

> barret...@hotmail.com wrote:

> > I found the answer in the "write net" command. Thanks anyway for

> > thinking to help and read.

> > On Jun 17, 3:25 pm, barret...@hotmail.com wrote:

> >> I just checked and the PDM does not provide the unencrypted info.

> >> Maybe if we use TFTP to copy the startup config to a server that will

> >> do it?

> >> On Jun 17, 3:13 pm, barret...@hotmail.com wrote:

> >>> Hello . We have a PIX 506e (6.3.5) and site to site VPN and if

> >>> possible we need to get the existing isakmp key from the PIX. The key

> >>> which was used to secure the VPN. We have physical access to the =A0P=

> >>> but when we run "show run" it only shows ******* as the isakmp VPN

> >>> key. How can we get this info? We purchased a second PIX for a backup

> >>> and we are going to put the existing config in place so we can have a

> >>> spare. =A0Thanks in advance for any help- Hide quoted text -

> >> - Show quoted text -

> You've not clearly stated whether you are referring to the RSA keys used

> when "rsa-encr" is specified in ISAKMP policy, or whether you are

> referring to a pre-shared key.

> If you are referring to the RSA keys, I suspect the "private" key will

> NOT be stored in the configuration, and the pre-existing keys may not be

> exportable (you'd have to look into it).

> I don't think copying the configuration to your new device will create

> the swappable scenario you envision, unless you are referring to a

> pre-shared key.

> Hence, the need to be specific.

> Best Regards,

> News Reader- Hide quoted text -

> - Show quoted text -

Similar Threads	Posted
re:LOCK OBTAIN TIMEOUT	January 14, 2006, 10:15 pm
Obtain DNS Information from Provider	April 26, 2006, 5:00 pm
PIX bugfixed software - How to obtain ?	February 21, 2007, 5:16 am
sell two cisco 2600Xm that i used for obtain my CCNP	January 7, 2007, 9:52 am
" i sell two cisco 2600XM that i used for obtain my CCNP	January 7, 2007, 9:57 am
Obtain CCNA and CCNP certificaitons without exams(100% passing gaurantee)	May 1, 2006, 3:27 pm
Obtain CCNA Certification In 72 hours....Without EXAMS.....100% Passing Gaurantee	May 25, 2006, 5:17 pm
Obtain CCNA Certification In 72 hours....Without EXAMS.....100% Passing Gaurantee	May 25, 2006, 5:18 pm
Obtain MICROSOFT and CISCO exams at ur DOORSTEP( pay after confirmation)100% passing gaurantee	December 14, 2005, 4:01 am
Obtain Mcse,Ccna And Many More Without Exams(Pay After Check Results)100% Passing Gaurantee	July 13, 2006, 10:04 am

other useful resources:
The Federal Communications Commission (FCC)
Telecommunications Industry Association
Electronic and Software Security Products and Services
International Telecommunication Union

Custom CGI Perl and PHP programming by 1-Script.com