topic Re: IPSec PSK view over CLI. Possible? in General Topics

IPSec PSK view over CLI. Possible?

TranceforLife — Wed, 22 Mar 2017 13:34:13 GMT

I guess the answer is no, but is it possible to view PSK over the CLI in plain text or with the exported XML config?

Thanks All,

Myky

Re: IPSec PSK view over CLI. Possible?

santonic — Wed, 22 Mar 2017 13:47:11 GMT

It's not.

Re: IPSec PSK view over CLI. Possible?

TranceforLife — Wed, 22 Mar 2017 13:48:38 GMT

Nice and simple answer! Thank you

Re: IPSec PSK view over CLI. Possible?

TranceforLife — Wed, 22 Mar 2017 14:24:30 GMT

@santonic a quick question actually. Unfrotunetluy l was not able to confirm as got no VPN tunnels running. Do you know if PSK keys are exported and imported when doing the config migration between the different platforms?

thanks,

Myky

Re: IPSec PSK view over CLI. Possible?

santonic — Wed, 22 Mar 2017 14:28:10 GMT

They are in XML file so I'd say yes (tho i don't think i ever migrated them cross platforms).

Exanple of PSK in XML:

<key>-AQ==MTmkWKuz1MeX9w6MmYSXGPbwbuU=OEFI/kxWUYPIkxWuSdtMgihZjdcoWnM11wIaPQpp3YM=</key>

Re: IPSec PSK view over CLI. Possible?

TranceforLife — Thu, 23 Mar 2017 17:05:54 GMT

@santonic By any chance, you got some details about master key on PA and if that is in some way encrypt/hash the private key same as PSK. Or master key is irrelevant for PSK password encryption, or maybe it is exported with the configuration? l am just thinking how another device can read that hash password without the key? (will mark your answer as a "solution" later) for now just want to bring the attention of others:0

Re: IPSec PSK view over CLI. Possible?

santonic — Fri, 24 Mar 2017 06:42:45 GMT

Good question. Unfortunately I don't know the answer.

Re: IPSec PSK view over CLI. Possible?

TranceforLife — Tue, 04 Apr 2017 14:02:23 GMT

Heys,

l am back with some updates on this, more FYI. We had a case opened with TAC for a similar issue. So default master key on PA indeed doing encryption (not hashing, as it is one-way process you cannot apply the key and get re-hash) of all plain text passwords and private cert keys etc. The default key is the same across all platforms. If you exporting/importing the config between the devices with the different master keys (as you have an option to generate a new key) you will get an error (some complaints about mismatch). Simple advice - do not change the key as it can lead to further issue if you want to manage the devices with Panorama.