[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


how to retrive  the VPN or pre shared key on pix

Posted on 2008-11-07
Medium Priority
Last Modified: 2012-06-27
hi guys,

is there any way we can retrive the pre shared key or vpn password, as i have start a new job and dont know the passwords

can some one help
Question by:ammartahir1978
  • 5
  • 3
  • 2
  • +1

Expert Comment

ID: 22906717
go to CLI and look for the key.  key usually encrypt in type 7. copy those # then go to
put those # in . it should decrypt for you.
LVL 28

Expert Comment

ID: 22907978
Sorry, but the preshared key used for VPN connections shows up in the PIX config as asterisks (********)...you won't be able to decrypt it.

However, there is a good side to this...you don't have to know the current pre-shared key in order to change it to something else...just issue the "isakmp key" command with a new pre-shared key value and it will overwrite the current value...

Expert Comment

ID: 22909247
that why I said use CLI (command line interface) either via console port or telnet
Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

LVL 28

Expert Comment

ID: 22909428
You can't do that with the pre-shared keys because they don't show up even in encrypted form.
LVL 23

Expert Comment

ID: 22911091
On an PIX7.x / ASA Try the command
more system:running-config

use  write net
to upload the config to a TFTP server, i.e.

write net  (ip address):/pixcnf.cfg

The basic idea is that when you upload the config file to your TFTP server,
you can now view the file on the TFTP server with pre-shared keys not starred out.

Author Comment

ID: 22911532
thank you guys to make you understand the config i have posted the config of the pix, if you see on the isakmp key its all ********

so from above comments i understand is i can change this key to anything but my confusion is do i have to change it in my ASA in head office as well?
so in both i will put

no isakmp key ****** ..........................
isakmp new key ip address netmask ...............

and same in my ASA in head office...right?

thank you
crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto map TOWHS 20 ipsec-isakmp
crypto map TOWHS 20 match address TOWHS
crypto map TOWHS 20 set peer <public IP address>
crypto map TOWHS 20 set transform-set ESP-AES-256-MD5
crypto map TOWHS interface outside
isakmp enable outside
isakmp key ******** address <IP address>netmask no-xauth no-co
isakmp keepalive 20
isakmp nat-traversal 20
isakmp policy 2 authentication rsa-sig
isakmp policy 2 encryption des
isakmp policy 2 hash sha
isakmp policy 2 group 1
isakmp policy 2 lifetime 86400
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption aes-256
isakmp policy 20 hash md5
isakmp policy 20 group 5
isakmp policy 20 lifetime 86400

Open in new window

LVL 28

Expert Comment

ID: 22912844
Yes, you will have to change it on your ASA on the other end as well.

When you enter in the "no" form of the command, you can put in whatever you want for the key value, then put in the real key that you want to use when you enter the "isakmp key" command.

Author Comment

ID: 22913402
thank you

batry_boy is there anything else i have to change or just put a no on isakmp key and they put it on again with isakmp command?

can you change my code?
LVL 28

Accepted Solution

batry_boy earned 2000 total points
ID: 22914226
No, I don't think so, given the info you have provided thus far.  For example, if you wanted to change the key to be "cisco123", just put in the following statements:

no isakmp key whatever address <IP address> netmask no-xauth no-config-mode
isakmp key cisco123 address <IP address> netmask no-xauth no-config-mode

where <IP address> is the remote tunnel peer.

For the ASA, the command syntax is different:

tunnel-group <IP address> ipsec-attributes
pre-shared-key cisco123

Author Comment

ID: 22994359
this is how it is on the pix of head office, do i have to put no first and then recreate it?

tunnel-group <IP ADDRESS> type ipsec-l2l
tunnel-group <IP ADDRESS>ipsec-attributes
 pre-shared-key *
LVL 28

Expert Comment

ID: 22995106
No, you should be able to overwrite the existing pre-shared key.  Just issue the following commands:

tunnel-group <IP ADDRESS> ipsec-attributes
 pre-shared-key <new_pre_shared_key>

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Keystroke loggers have been around for a very long time. While the threat is old, some of the remedies are new!
Last month Marc Laliberte, WatchGuard’s Senior Threat Analyst, contributed reviewed the three major email authentication anti-phishing technology standards: SPF, DKIM, and DMARC. Learn more in part 2 of the series originally posted in Cyber Defense …
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses
Course of the Month19 days, 14 hours left to enroll

872 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question