Configuring an Encrypted Preshared Key for a Local IPsec Transport Profile

You can use the pre-share-masked command to specify an encrypted preshared key. To obtain this key, enter an unencrypted key by using the pre-share command and then run the show config command. The router then displays the preshared key in encrypted form. You can enter the encrypted key by using the pre-share-masked command.

The router uses the preshared key to authenticate IKE negotiations that arrive from any remote IP address specified for this transport profile and that are destined for any local IP address specified for this transport profile. If the remote endpoint address is a wildcard address, this preshared key is a group preshared key.

Caution: Group preshared keys are not fully secure, and we do not recommend using them. They are provided for trials and testing purposes, where the missed security does not pose a risk to the provider.

To enable preshared key authentication, you must also specify the IKE policy rule as preshared by entering authentication pre-share in ISAKMP Policy Configuration mode.

To specify an encrypted preshared key:

host1(config-ipsec-transport-profile-local)#pre-share-masked AAAAGAAAAAcAAAACZquq4ABieTUBuNBELSY8b/L3CX/RcPX7

To remove a key, use the no pre-share command.

Related Documentation