[rancid] Re: Cisco ASA Backup with Preshared Keys

Mon Nov 3 16:50:52 UTC 2008

Hi all,

I had one incident that I have to backup the config while showing the  
pre-shared key in PIX/ASA. (only <20 devices with <10 pair of tunnels)

To what I remember, I commented out several lines in  
/usr/local/rancid/bin/rancid

One of the line read as follow: (mine is at line 1541 - 1543)
       if (/^((crypto )?isakmp key) \S+ / && $filter_pwds >= 1) {
             ProcessHistory("","","","!$1 <removed> $'"); next;
         }

... and I think I also commented out several other line(s) but can't  
remember which one.

Now, if you commented out that line in rancid script, please bear the  
following point(s) in mind (CMIIW please):
- all devices using /usr/local/rancid/bin/rancid will have that  
particular keyword unmasked -> instead of *** will be the actual  
value. So this will apply to all devices marked as 'cisco' in router.db
- whoever can access /usr/local/rancid/var (or any location that was  
configured to store the rancid-run results) will be able to see the  
crypto/ ISAKMP keys

I might have missed other line(s) to comment out either in  
/usr/local/rancid/bin/rancid or /usr/local/rancid/clogin, so for those  
that is more intimate with those scripts, please share it to the list.

Hope that helps ;)

P.S.: I'm no longer have access to PIX anymore, so for those that  
still have those access, please give it a try and let me know ;)

Cheers,

Dwi

On 11/01/2008, Todd Heide <Todd at equivoice.com> wrote:

> There is only one way to see the pre-share keys on an ASA.
>
>
>
> More system:running-config
>
>
>
> Not sure how Rancid can do that, but if someone can set it up to issue
> that command, then you should be able to back up the VPN keys.
>
>
>
> From: rancid-discuss-bounces at shrubbery.net
> [mailto:rancid-discuss-bounces at shrubbery.net] On Behalf Of Keys, Jeremy
> Sent: Saturday, November 01, 2008 8:56 AM
> To: rancid-discuss at shrubbery.net
> Subject: [rancid] Cisco ASA Backup with Preshared Keys
>
>
>
> I use rancid to backup all of my configurations, including two Cisco ASA
> 5520's.  The only problem I have run into is that when rancid backs up
> the configs on the ASA, the actual preshared keys are displayed as an
> asterisk (*) rather than the actual preshared key.
>
>
>
> Is there a way to get rancid to backup the actual config file?  I assume
> it's just doing a screen scrape (sh running-config) and capturing the
> output rather than copying the actual file.  This is fine for most
> equipment, but if I have a failure on the ASA and needed to restore the
> config, I would have to re-enter all the preshared keys (not fun with
> several hundred tunnels).
>
>
>
> Any help is greatly appreciated,
>
>
>
> Jeremy Keys
>
> jeremy_keys at memorial.org
>
>
>
>
>
>
> This message and accompanying documents are covered by
> the Electronic Communications Privacy Act 18
> U.S.C. "Sections 2510-2521," and contain information
> intended for the specified individual(s) only. This
> information is confidential.  If you are not the intended
> recipient or an agent responsible for delivering it to
> the intended recipient, you are hereby notified that you
> have received this document in error and that any review,
> dissemination, copying, or the taking of any action based
> on the contents of this information is strictly
> prohibited.  If you have received this communication in
> error, please notify us immediately by e-mail, and delete
> the original message.
>
>
>
>

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.