VPNIKEv1 Policy Config

authentication pre-share

Configures pre-shared key authentication for IKEv1 policies on Cisco ASA Firewall.

Overview

The 'authentication pre-share' command is used in IKEv1 policy configuration mode on Cisco ASA Firewalls to specify that pre-shared key (PSK) authentication should be used for the Internet Key Exchange (IKE) phase 1 negotiations. IKEv1 is the original version of IKE used to establish security associations (SAs) for IPsec VPNs. Authentication is a critical step in IKE phase 1, ensuring that both peers are who they claim to be. Pre-shared key authentication relies on a shared secret that both parties know. This method is simpler to configure than certificate-based authentication (RSA-SIG or DSA-SIG) but is considered less secure because the key must be distributed out-of-band and can be compromised if not properly protected. On Cisco ASA, the command is entered under an IKEv1 policy, which is created using 'crypto ikev1 policy <priority>'. The priority number determines the order in which policies are proposed to the peer. The 'authentication pre-share' command is one of several parameters that define the policy, along with encryption, hash, Diffie-Hellman group, and lifetime. This command is typically used in site-to-site VPN deployments where simplicity is desired, or in remote access VPNs using IKEv1. In troubleshooting workflows, verifying the authentication method is important when IKE phase 1 fails; mismatched authentication methods between peers are a common cause of failure. The ASA supports both pre-share and certificate-based authentication, and the choice depends on security requirements and scalability.

Syntax·IKEv1 Policy Config
authentication pre-share

When to Use This Command

  • Setting up site-to-site VPN with pre-shared key authentication.
  • Configuring remote access VPN with pre-shared key for IKEv1.
  • Migrating from certificate-based authentication to pre-shared key for simplicity.
  • Testing VPN connectivity with minimal configuration using pre-shared keys.

Parameters

ParameterSyntaxDescription
authentication pre-shareauthentication pre-shareThis command sets the authentication method to pre-shared key. It has no additional parameters. It must be entered under an IKEv1 policy configuration. The pre-shared key itself is configured separately using the 'crypto isakmp key' command.

Command Examples

Configure pre-shared key authentication in IKEv1 policy

ciscoasa(config-ikev1-policy)# authentication pre-share
ciscoasa(config-ikev1-policy)#

This command sets the authentication method to pre-shared key for the current IKEv1 policy. No output is displayed if successful.

Verify IKEv1 policy authentication method

show running-config crypto ikev1 policy 10
crypto ikev1 policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400

The output shows that policy 10 uses pre-shared key authentication. The 'authentication pre-share' line confirms the setting.

Understanding the Output

The 'authentication pre-share' command itself does not produce output; it simply sets the authentication method. To verify, use 'show running-config crypto ikev1 policy <policy-number>'. The output lists all parameters of the IKEv1 policy. The 'authentication pre-share' line indicates that pre-shared keys are used. If the line shows 'authentication rsa-sig' or 'authentication dsa-sig', the policy uses digital signatures instead. A healthy configuration will have the desired authentication method. If the line is missing, the policy may not be fully configured or defaults may apply. In troubleshooting, ensure that the pre-shared key is also configured globally or per peer using 'crypto isakmp key' command.

Configuration Scenarios

Site-to-Site VPN with Pre-Shared Key

Two offices connected via internet using ASA firewalls. IKEv1 policy uses pre-shared key authentication.

Topology

[ASA1]---Internet---[ASA2]

Steps

  1. 1.Configure IKEv1 policy on ASA1 with authentication pre-share.
  2. 2.Configure the pre-shared key for the peer IP on ASA1.
  3. 3.Repeat similar configuration on ASA2 with matching parameters.
  4. 4.Apply the crypto map to the outside interface.
Configuration
! On ASA1
crypto ikev1 policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
!
crypto isakmp key mysecret address 203.0.113.2
!
! On ASA2
crypto ikev1 policy 10
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
!
crypto isakmp key mysecret address 198.51.100.1

Verify: Use 'show crypto isakmp sa' to verify IKE SA establishment. Look for MM_ACTIVE state.

Watch out: Ensure the pre-shared key matches exactly on both peers. Also, the peer IP in the 'crypto isakmp key' command must be the remote ASA's outside interface IP.

Troubleshooting with This Command

When troubleshooting IKEv1 phase 1 failures, the 'authentication pre-share' command is a key parameter to verify. Use 'show running-config crypto ikev1 policy' to list all policies and their authentication methods. If the peer uses a different authentication method (e.g., RSA-SIG), IKE negotiation will fail. Also, ensure that the pre-shared key is configured for the correct peer IP using 'show running-config crypto isakmp key'. Common issues include mismatched keys, missing keys, or incorrect peer addresses. Use 'debug crypto isakmp 127' to see detailed IKE messages; look for 'authentication method' mismatches. If the ASA receives a proposal with a different authentication method, it will reject it. Additionally, check that the IKEv1 policy is correctly applied via a crypto map. The command 'show crypto isakmp sa' displays active SAs; if the state is not MM_ACTIVE, there may be an authentication issue. For pre-shared keys, ensure that the key is not expired or corrupted. On ASA, pre-shared keys can be configured globally or per peer; per-peer keys are recommended for security.

CCNA Exam Tips

1.

Remember that 'authentication pre-share' is configured under IKEv1 policy config mode.

2.

Know that pre-shared key authentication is simpler but less secure than certificate-based methods.

3.

Be aware that the pre-shared key itself is configured separately using 'crypto isakmp key' command.

Common Mistakes

Forgetting to configure the pre-shared key after setting authentication pre-share, causing IKE negotiation to fail.

Mixing authentication methods between IKEv1 and IKEv2 policies incorrectly.

Using 'authentication pre-share' without specifying a policy number first.

Platform Notes

On Cisco ASA, the 'authentication pre-share' command is specific to IKEv1 policies. For IKEv2, the equivalent is 'authentication pre-share' under 'crypto ikev2 policy' but the command syntax differs. On Cisco IOS routers, the command is similar but entered under 'crypto isakmp policy'. ASA uses 'crypto ikev1 policy' instead. The pre-shared key configuration on ASA uses 'crypto isakmp key' (note: isakmp, not ikev1). In ASA version 9.x and later, IKEv1 is still supported but IKEv2 is preferred. The command behavior is consistent across ASA versions. For remote access VPNs, pre-shared keys can be used with IKEv1, but certificate-based authentication is more common for scalability. When migrating from IOS to ASA, note that the policy numbering and parameter order may differ.

Practice for the CCNA 200-301

Test your knowledge with hundreds of CCNA practice questions covering all exam domains.

Practice CCNA Questions