Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
03-22-2017 06:34 AM
I guess the answer is no, but is it possible to view PSK over the CLI in plain text or with the exported XML config?
Thanks All,
Myky
03-22-2017 07:28 AM
They are in XML file so I'd say yes (tho i don't think i ever migrated them cross platforms).
Exanple of PSK in XML:
<key>-AQ==MTmkWKuz1MeX9w6MmYSXGPbwbuU=OEFI/kxWUYPIkxWuSdtMgihZjdcoWnM11wIaPQpp3YM=</key>
03-22-2017 06:48 AM - edited 03-22-2017 06:48 AM
Nice and simple answer! Thank you
03-22-2017 07:24 AM
@santonic a quick question actually. Unfrotunetluy l was not able to confirm as got no VPN tunnels running. Do you know if PSK keys are exported and imported when doing the config migration between the different platforms?
thanks,
Myky
03-22-2017 07:28 AM
They are in XML file so I'd say yes (tho i don't think i ever migrated them cross platforms).
Exanple of PSK in XML:
<key>-AQ==MTmkWKuz1MeX9w6MmYSXGPbwbuU=OEFI/kxWUYPIkxWuSdtMgihZjdcoWnM11wIaPQpp3YM=</key>
03-23-2017 09:58 AM - edited 03-23-2017 10:05 AM
@santonic By any chance, you got some details about master key on PA and if that is in some way encrypt/hash the private key same as PSK. Or master key is irrelevant for PSK password encryption, or maybe it is exported with the configuration? l am just thinking how another device can read that hash password without the key? (will mark your answer as a "solution" later) for now just want to bring the attention of others:0
03-23-2017 11:42 PM
Good question. Unfortunately I don't know the answer.
04-04-2017 07:02 AM
Heys,
l am back with some updates on this, more FYI. We had a case opened with TAC for a similar issue. So default master key on PA indeed doing encryption (not hashing, as it is one-way process you cannot apply the key and get re-hash) of all plain text passwords and private cert keys etc. The default key is the same across all platforms. If you exporting/importing the config between the devices with the different master keys (as you have an option to generate a new key) you will get an error (some complaints about mismatch). Simple advice - do not change the key as it can lead to further issue if you want to manage the devices with Panorama.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
