Prev: Accessing ASA Standby via site to site vpn
Next: Need Help Configuring Static NAT and Access List
From: barretech on 17 Jun 2008 15:13
Hello . We have a PIX 506e (6.3.5) and site to site VPN and if
possible we need to get the existing isakmp key from the PIX. The key
which was used to secure the VPN. We have physical access to the PIX
but when we run "show run" it only shows ******* as the isakmp VPN
key. How can we get this info? We purchased a second PIX for a backup
and we are going to put the existing config in place so we can have a
spare. Thanks in advance for any help
From: barretech on 17 Jun 2008 15:25
I just checked and the PDM does not provide the unencrypted info.
Maybe if we use TFTP to copy the startup config to a server that will
do it?

On Jun 17, 3:13 pm, barret...(a)hotmail.com wrote:
> Hello . We have a PIX 506e (6.3.5) and site to site VPN and if
> possible we need to get the existing isakmp key from the PIX. The key
> which was used to secure the VPN. We have physical access to the  PIX
> but when we run "show run" it only shows ******* as the isakmp VPN
> key. How can we get this info? We purchased a second PIX for a backup
> and we are going to put the existing config in place so we can have a
> spare.  Thanks in advance for any help

From: barretech on 17 Jun 2008 16:10
I found the answer in the "write net" command. Thanks anyway for
thinking to help and read.



On Jun 17, 3:25 pm, barret...(a)hotmail.com wrote:
> I just checked and the PDM does not provide the unencrypted info.
> Maybe if we use TFTP to copy the startup config to a server that will
> do it?
>
> On Jun 17, 3:13 pm, barret...(a)hotmail.com wrote:
>
>
>
> > Hello . We have a PIX 506e (6.3.5) and site to site VPN and if
> > possible we need to get the existing isakmp key from the PIX. The key
> > which was used to secure the VPN. We have physical access to the  PIX
> > but when we run "show run" it only shows ******* as the isakmp VPN
> > key. How can we get this info? We purchased a second PIX for a backup
> > and we are going to put the existing config in place so we can have a
> > spare.  Thanks in advance for any help- Hide quoted text -
>
> - Show quoted text -

From: News Reader on 17 Jun 2008 17:02
barretech(a)hotmail.com wrote:
> I found the answer in the "write net" command. Thanks anyway for
> thinking to help and read.
>
>
>
> On Jun 17, 3:25 pm, barret...(a)hotmail.com wrote:
>> I just checked and the PDM does not provide the unencrypted info.
>> Maybe if we use TFTP to copy the startup config to a server that will
>> do it?
>>
>> On Jun 17, 3:13 pm, barret...(a)hotmail.com wrote:
>>
>>
>>
>>> Hello . We have a PIX 506e (6.3.5) and site to site VPN and if
>>> possible we need to get the existing isakmp key from the PIX. The key
>>> which was used to secure the VPN. We have physical access to the PIX
>>> but when we run "show run" it only shows ******* as the isakmp VPN
>>> key. How can we get this info? We purchased a second PIX for a backup
>>> and we are going to put the existing config in place so we can have a
>>> spare. Thanks in advance for any help- Hide quoted text -
>> - Show quoted text -
>

You've not clearly stated whether you are referring to the RSA keys used
when "rsa-encr" is specified in ISAKMP policy, or whether you are
referring to a pre-shared key.

If you are referring to the RSA keys, I suspect the "private" key will
NOT be stored in the configuration, and the pre-existing keys may not be
exportable (you'd have to look into it).

I don't think copying the configuration to your new device will create
the swappable scenario you envision, unless you are referring to a
pre-shared key.

Hence, the need to be specific.

Best Regards,
News Reader
From: barretech on 18 Jun 2008 07:15
Thanks for your time. As I posted previously, we got it.

It appears that the last time this was successfully done to create a
backup PIX we had used the write net command, so we had the pre-shared
key and the pre-shared VPN key on a different TFTP server. I just
didn't have it handy here and didn't know how we got it out last
time.

To your point, I was writing of the line in the config that says
"isakmp key ********" . That is the pre-shared key.

I bet we don't use the RSA statement you mentioned since I see no
reference to it anywhere.



On Jun 17, 5:02 pm, News Reader <u...(a)domain.null> wrote:
> barret...(a)hotmail.com wrote:
> > I found the answer in the "write net" command. Thanks anyway for
> > thinking to help and read.
>
> > On Jun 17, 3:25 pm, barret...(a)hotmail.com wrote:
> >> I just checked and the PDM does not provide the unencrypted info.
> >> Maybe if we use TFTP to copy the startup config to a server that will
> >> do it?
>
> >> On Jun 17, 3:13 pm, barret...(a)hotmail.com wrote:
>
> >>> Hello . We have a PIX 506e (6.3.5) and site to site VPN and if
> >>> possible we need to get the existing isakmp key from the PIX. The key
> >>> which was used to secure the VPN. We have physical access to the  PIX
> >>> but when we run "show run" it only shows ******* as the isakmp VPN
> >>> key. How can we get this info? We purchased a second PIX for a backup
> >>> and we are going to put the existing config in place so we can have a
> >>> spare.  Thanks in advance for any help- Hide quoted text -
> >> - Show quoted text -
>
> You've not clearly stated whether you are referring to the RSA keys used
> when "rsa-encr" is specified in ISAKMP policy, or whether you are
> referring to a pre-shared key.
>
> If you are referring to the RSA keys, I suspect the "private" key will
> NOT be stored in the configuration, and the pre-existing keys may not be
> exportable (you'd have to look into it).
>
> I don't think copying the configuration to your new device will create
> the swappable scenario you envision, unless you are referring to a
> pre-shared key.
>
> Hence, the need to be specific.
>
> Best Regards,
> News Reader- Hide quoted text -
>
> - Show quoted text -

 |  Next  |  Last
Pages: 1 2
Prev: Accessing ASA Standby via site to site vpn
Next: Need Help Configuring Static NAT and Access List