Cisco VPN Question

Posted on 2007-10-03
Last Modified: 2013-11-09
We have a Cisco ASA that manages the VPN tunnels. The clients connect to Cisco VPN Client 5.0. I know the VPN Profile password is encrypted, I wanted to find out if the user is on a unsecure wireless network or some type of hotspot if there user name password is also encrypted.  

I would think it is I just want to verify that. It uses ACS to Authenticate to the Domain when they log in through the VPN.

Question by:amendez2
    LVL 16

    Expert Comment

    im nearly ceratin that it is encryted as well as the wireless connection has nothing to do with the vpn tunnel

    Author Comment

    Yeah I know the wireless is separate from the VPN Tunnel, maybe i worded the question wrong.

    If there is someone else on the unsecured wireless or secure wireless for that matter can they run some type of packet sniffer to grab the user credentials for the VPN.  
    LVL 79

    Accepted Solution

    Absolutely not. Even if the wireless connection itself is open with no encryption, the VPN pre-shared key exchange uses an encrypted hash of the pre-shared key, not they key itself, and a secure encrypted tunnel is established, then the username/password prompt appears, and that username/password is sent within the encrypted tunnel. Once authenticated, the tunnel is open for traffic. The only thing that can be seen/captured off the air is encrypted ISAKMP/udp4500 traffic that cannot be decrypted.
    Remember, too, that the Cisco VPN client has a built in personal firewall while connected, and you can control the firewall rules from the ASA side.


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Why You Should Analyze Threat Actor TTPs

    After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

    Have you experienced traffic destined through a Cisco ASA firewall disappears and you do not know if the traffic stops in the firewall or somewhere else? The solution is the capture feature. This feature was released in 6.2(1) and works in all firew…
    I've written this article to illustrate how we can implement a Dynamic Multipoint VPN (DMVPN) with both hub and spokes having a dynamically assigned non-broadcast multiple-access (NBMA) network IP (public IP). Here is the basic setup of DMVPN Pha…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now