Protecting ISAKMP Keys from Prying Eyes

Most people don’t think about encrypting their ISAKMP keys, because for the most part they are inaccessible, but you never know if the router will end up in malicious hands. Employees have sold networking hardware on sites like eBay, without company knowledge, and without clearing the startup-config. So, any credentials that were on the router in plain text, or even passwords protected with a weak algorithm like Type 7, which can be easily reversed, could potentially end up in the hands of a malicious user.

To protect the ISAKMP keys (and other keys) used to protect our VPNs, we will use an IOS feature that was introduced starting with 12.3(2)T, this feature lets us encrypt the ISAKMP key using a AES master key.

Note: For security reasons, neither the removal of the master key, nor the removal of the password encryption aes command decrypts the passwords in the router configuration. Once passwords are encrypted, they are not decrypted. Existing encrypted keys in the configuration are still able to be decrypted provided the master key is not removed.

R1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
R1(config)#key config-key password-encrypt s3cr3tk3y
R1(config)#password encryption aes
R1(config)#

Now we create an ISAKMP pre-shared key to verify if it’s encrypted with AES

R1(config)#crypto isakmp key 0 c1sc0 address 192.168.254.2 0.0.0.0
R1(config)#exit
R1#sri crypto
crypto isakmp key 6 EKDIAEDIW_cFBX`LH[^DESdJO[MAAB address 192.168.254.2

You can also change the master AES key interactively

R1(config)#key config-key password-encrypt
 Old key:
New key:
Confirm key:
Router(config)#

To remove the master key and the encryption of pre-shared keys, use the following command

R1(config)#no key config-key password-encrypt
WARNING: All type 6 encrypted keys will become unusable
Continue with master key deletion ? [yes/no]: yes
R1(config)#

As the previous message clearly states, once we removed the master key the keys that were previous encrypted with that key are unusable, therefore you will have to reconfigure any key that will still need to be used.

Jun 16th, 2011 • Posted in IOS, Security
No comments yet.

Leave a comment

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>