Friday, April 16, 2010

Cisco ASA - how to see your pre-shared-key

One of the annoying things about managing pre-shared keys for both site to site vpn tunnels and group pre-shared keys for client vpn tunnels is the fact that if you do a show run they are starred out (*) in the configuration file.

So you will see something like:
pre-shared-key *

If you need to recover back your keys because you have lots of folks running around with Cisco IPSec VPN clients with a standard PCF file and you can't remember what the group pre-shared-key is or don't have it documented you can do the following command.

more system:running-config

This will output your running-config file with the pre-shared-key variable in clear text.

Obviously this is useful for site to site keys also because you might have a tunnel set up with a third party vendor or a partner and you can't remember the key at all because you made it up on the fly with the other network engineer on the phone (That never happens... really.)

This will NOT show you the enable or passwd values because those are actually encrypted. You will have to use other tools to break those or do a standard password recovery process.
- Ed

3 comments:

Dali Zooma said...
This comment has been removed by a blog administrator.
Anonymous said...

This was very helpful.
Thanks.
Hashknife

Anonymous said...

Thank you, thank you. This saved me the work of having to re-build on both ASA's!!