authentication pre-share
Configures pre-shared key authentication for IKEv1 policies on Cisco ASA Firewall.
Overview
The 'authentication pre-share' command is used in IKEv1 policy configuration mode on Cisco ASA Firewalls to specify that pre-shared key (PSK) authentication should be used for the Internet Key Exchange (IKE) phase 1 negotiations. IKEv1 is the original version of IKE used to establish security associations (SAs) for IPsec VPNs. Authentication is a critical step in IKE phase 1, ensuring that both peers are who they claim to be. Pre-shared key authentication relies on a shared secret that both parties know. This method is simpler to configure than certificate-based authentication (RSA-SIG or DSA-SIG) but is considered less secure because the key must be distributed out-of-band and can be compromised if not properly protected. On Cisco ASA, the command is entered under an IKEv1 policy, which is created using 'crypto ikev1 policy <priority>'. The priority number determines the order in which policies are proposed to the peer. The 'authentication pre-share' command is one of several parameters that define the policy, along with encryption, hash, Diffie-Hellman group, and lifetime. This command is typically used in site-to-site VPN deployments where simplicity is desired, or in remote access VPNs using IKEv1. In troubleshooting workflows, verifying the authentication method is important when IKE phase 1 fails; mismatched authentication methods between peers are a common cause of failure. The ASA supports both pre-share and certificate-based authentication, and the choice depends on security requirements and scalability.
authentication pre-shareWhen to Use This Command
- Setting up site-to-site VPN with pre-shared key authentication.
- Configuring remote access VPN with pre-shared key for IKEv1.
- Migrating from certificate-based authentication to pre-shared key for simplicity.
- Testing VPN connectivity with minimal configuration using pre-shared keys.
Parameters
| Parameter | Syntax | Description |
|---|---|---|
| authentication pre-share | authentication pre-share | This command sets the authentication method to pre-shared key. It has no additional parameters. It must be entered under an IKEv1 policy configuration. The pre-shared key itself is configured separately using the 'crypto isakmp key' command. |
Command Examples
Configure pre-shared key authentication in IKEv1 policy
ciscoasa(config-ikev1-policy)# authentication pre-shareciscoasa(config-ikev1-policy)#
This command sets the authentication method to pre-shared key for the current IKEv1 policy. No output is displayed if successful.
Verify IKEv1 policy authentication method
show running-config crypto ikev1 policy 10crypto ikev1 policy 10 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400
The output shows that policy 10 uses pre-shared key authentication. The 'authentication pre-share' line confirms the setting.
Understanding the Output
The 'authentication pre-share' command itself does not produce output; it simply sets the authentication method. To verify, use 'show running-config crypto ikev1 policy <policy-number>'. The output lists all parameters of the IKEv1 policy. The 'authentication pre-share' line indicates that pre-shared keys are used. If the line shows 'authentication rsa-sig' or 'authentication dsa-sig', the policy uses digital signatures instead. A healthy configuration will have the desired authentication method. If the line is missing, the policy may not be fully configured or defaults may apply. In troubleshooting, ensure that the pre-shared key is also configured globally or per peer using 'crypto isakmp key' command.
Configuration Scenarios
Site-to-Site VPN with Pre-Shared Key
Two offices connected via internet using ASA firewalls. IKEv1 policy uses pre-shared key authentication.
Topology
[ASA1]---Internet---[ASA2]Steps
- 1.Configure IKEv1 policy on ASA1 with authentication pre-share.
- 2.Configure the pre-shared key for the peer IP on ASA1.
- 3.Repeat similar configuration on ASA2 with matching parameters.
- 4.Apply the crypto map to the outside interface.
! On ASA1 crypto ikev1 policy 10 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400 ! crypto isakmp key mysecret address 203.0.113.2 ! ! On ASA2 crypto ikev1 policy 10 authentication pre-share encryption aes-256 hash sha group 2 lifetime 86400 ! crypto isakmp key mysecret address 198.51.100.1
Verify: Use 'show crypto isakmp sa' to verify IKE SA establishment. Look for MM_ACTIVE state.
Watch out: Ensure the pre-shared key matches exactly on both peers. Also, the peer IP in the 'crypto isakmp key' command must be the remote ASA's outside interface IP.
Troubleshooting with This Command
When troubleshooting IKEv1 phase 1 failures, the 'authentication pre-share' command is a key parameter to verify. Use 'show running-config crypto ikev1 policy' to list all policies and their authentication methods. If the peer uses a different authentication method (e.g., RSA-SIG), IKE negotiation will fail. Also, ensure that the pre-shared key is configured for the correct peer IP using 'show running-config crypto isakmp key'. Common issues include mismatched keys, missing keys, or incorrect peer addresses. Use 'debug crypto isakmp 127' to see detailed IKE messages; look for 'authentication method' mismatches. If the ASA receives a proposal with a different authentication method, it will reject it. Additionally, check that the IKEv1 policy is correctly applied via a crypto map. The command 'show crypto isakmp sa' displays active SAs; if the state is not MM_ACTIVE, there may be an authentication issue. For pre-shared keys, ensure that the key is not expired or corrupted. On ASA, pre-shared keys can be configured globally or per peer; per-peer keys are recommended for security.
CCNA Exam Tips
Remember that 'authentication pre-share' is configured under IKEv1 policy config mode.
Know that pre-shared key authentication is simpler but less secure than certificate-based methods.
Be aware that the pre-shared key itself is configured separately using 'crypto isakmp key' command.
Common Mistakes
Forgetting to configure the pre-shared key after setting authentication pre-share, causing IKE negotiation to fail.
Mixing authentication methods between IKEv1 and IKEv2 policies incorrectly.
Using 'authentication pre-share' without specifying a policy number first.
Platform Notes
On Cisco ASA, the 'authentication pre-share' command is specific to IKEv1 policies. For IKEv2, the equivalent is 'authentication pre-share' under 'crypto ikev2 policy' but the command syntax differs. On Cisco IOS routers, the command is similar but entered under 'crypto isakmp policy'. ASA uses 'crypto ikev1 policy' instead. The pre-shared key configuration on ASA uses 'crypto isakmp key' (note: isakmp, not ikev1). In ASA version 9.x and later, IKEv1 is still supported but IKEv2 is preferred. The command behavior is consistent across ASA versions. For remote access VPNs, pre-shared keys can be used with IKEv1, but certificate-based authentication is more common for scalability. When migrating from IOS to ASA, note that the policy numbering and parameter order may differ.
Practice for the CCNA 200-301
Test your knowledge with hundreds of CCNA practice questions covering all exam domains.
Practice CCNA Questions