VPNTunnel Group IPsec Config

pre-shared-key [key]

Sets the pre-shared key for IKE authentication in an IPsec tunnel group on a Cisco ASA firewall.

Overview

The 'pre-shared-key' command is used in Cisco ASA firewall configuration to define the shared secret for IKE (Internet Key Exchange) authentication within a tunnel group. This key is a critical component of IPsec VPNs, providing a simple yet effective method for authenticating peers before establishing an encrypted tunnel. The concept behind pre-shared keys (PSKs) is that both ends of the VPN tunnel must have the same key configured; during IKE phase 1, the peers exchange hashed versions of the key to verify identity without transmitting the key itself. On the Cisco ASA, this command is entered in tunnel-group ipsec-attributes configuration mode, which is accessed via 'tunnel-group <name> ipsec-attributes'. The key can be specified as plaintext or, for security, as an encrypted string (using the 'encrypted' keyword). When to use this command: whenever you need to set or change the authentication key for a site-to-site or remote access IPsec VPN. It is a fundamental step in VPN configuration and is often one of the first commands after creating the tunnel group. Platform-specific behavior: On Cisco ASA, the key is stored in the running configuration and can be encrypted automatically when the configuration is saved if 'service password-encryption' is enabled. However, the 'encrypted' keyword allows you to directly input a key that is already encrypted (e.g., from a backup). In troubleshooting workflows, verifying the pre-shared key is a common step when tunnels fail to come up; mismatched keys are a frequent cause of IKE authentication failures. The command itself does not produce extensive output, but its effect is seen in debugs and show commands.

Syntax·Tunnel Group IPsec Config
pre-shared-key [encrypted] key

When to Use This Command

  • Configuring a pre-shared key for a site-to-site VPN tunnel between a Cisco ASA and a remote peer.
  • Setting a pre-shared key for remote access VPN clients using IPsec IKEv1 or IKEv2.
  • Updating an existing pre-shared key for a tunnel group without deleting the entire configuration.
  • Using an encrypted key to avoid plaintext exposure in configuration files.

Parameters

ParameterSyntaxDescription
encryptedencryptedOptional keyword indicating that the key provided is already encrypted. Use this when copying configuration from another ASA to avoid double encryption.
keykeyThe pre-shared key string. It can be up to 128 characters and is case-sensitive. If the 'encrypted' keyword is used, this must be a valid encrypted key string.

Command Examples

Set a plaintext pre-shared key

pre-shared-key Cisco123!
INFO: Configuring pre-shared key for tunnel-group 'MyTunnel'

The command sets the pre-shared key to 'Cisco123!' for the current tunnel group. The output confirms the key is being configured.

Set an encrypted pre-shared key

pre-shared-key encrypted 1234567890ABCDEF
INFO: Configuring encrypted pre-shared key for tunnel-group 'MyTunnel'

The encrypted keyword indicates the key is already encrypted (e.g., from a previous 'show run' output). The ASA stores it as-is.

Understanding the Output

The command itself does not produce verbose output beyond a confirmation message. The key is stored in the running configuration and can be viewed with 'show running-config tunnel-group <name>'. In the configuration, the key appears as 'pre-shared-key' followed by either the plaintext or encrypted value. If the key is set incorrectly, the VPN tunnel will fail to establish, and debugs like 'debug crypto isakmp' will show authentication failures. A healthy configuration shows a matching key on both peers.

Configuration Scenarios

Site-to-Site VPN with Pre-Shared Key

Two offices connected via IPsec VPN. The ASA at the main office needs to authenticate with the remote ASA using a pre-shared key.

Topology

Main Office ASA (10.1.1.1) --- Internet --- Remote ASA (10.2.2.2)

Steps

  1. 1.Create a tunnel group for the remote peer: tunnel-group 10.2.2.2 type ipsec-l2l
  2. 2.Enter IPsec attributes mode: tunnel-group 10.2.2.2 ipsec-attributes
  3. 3.Set the pre-shared key: pre-shared-key MySecretKey123
Configuration
! Configuration snippet
tunnel-group 10.2.2.2 type ipsec-l2l
tunnel-group 10.2.2.2 ipsec-attributes
 pre-shared-key MySecretKey123

Verify: Use 'show running-config tunnel-group 10.2.2.2' to verify the key is present. Use 'debug crypto isakmp' to see authentication exchanges.

Watch out: Ensure the key matches exactly on both ends; any difference will cause IKE phase 1 failure.

Remote Access VPN with Pre-Shared Key

Configuring a pre-shared key for remote access clients connecting via IPsec VPN to the ASA.

Topology

Remote Client --- Internet --- ASA (outside interface 203.0.113.1)

Steps

  1. 1.Create a tunnel group for remote access: tunnel-group RemoteAccess type remote-access
  2. 2.Enter IPsec attributes: tunnel-group RemoteAccess ipsec-attributes
  3. 3.Set the pre-shared key: pre-shared-key ClientPSK456
Configuration
! Configuration snippet
tunnel-group RemoteAccess type remote-access
tunnel-group RemoteAccess ipsec-attributes
 pre-shared-key ClientPSK456

Verify: Check 'show vpn-sessiondb' to see active sessions. Use 'debug crypto isakmp' to troubleshoot client connections.

Watch out: For remote access, the pre-shared key is often distributed to clients via configuration profiles; ensure it is kept secure.

Troubleshooting with This Command

When a VPN tunnel fails to establish, one of the first things to check is the pre-shared key. Use 'show running-config tunnel-group <name>' to verify the configured key. If the key appears as 'encrypted' but you need to compare it with the peer, you can only do so by re-entering the same plaintext key on both sides. Common issues: mismatched keys (case-sensitive), special characters that are not properly interpreted (e.g., spaces, quotes), or keys that exceed the maximum length. To debug, enable 'debug crypto isakmp 127' to see IKE messages. Look for 'authentication failure' or 'invalid payload' errors. If the key is correct, you should see 'ISAKMP SA established' messages. On the ASA, you can also use 'show crypto isakmp sa' to see the state of IKE SAs; if the state is 'MM_NO_STATE' or 'AG_NO_STATE', authentication may be failing. Another useful command is 'show crypto ipsec sa peer <ip>' to check IPsec SAs. If the pre-shared key is suspected to be wrong, reconfigure it with a known value and test. Remember that the ASA does not display the key in plaintext in the configuration; it shows either the plaintext (if no encryption) or an encrypted string. To ensure consistency, use the same plaintext key on both peers.

CCNA Exam Tips

1.

Remember that the 'encrypted' keyword is used when pasting a key from another ASA's configuration to avoid re-encryption.

2.

The pre-shared key is case-sensitive; a common exam trap is mismatched case between peers.

3.

For IKEv2, the pre-shared key is configured under the tunnel group IPsec attributes, same as IKEv1.

Common Mistakes

Typing the key in plaintext when the configuration expects an encrypted key, causing the ASA to treat it as plaintext and potentially expose it.

Forgetting to apply the command under the correct tunnel group mode (tunnel-group <name> ipsec-attributes).

Using special characters that are not properly escaped, leading to a truncated or incorrect key.

Platform Notes

On Cisco ASA, the 'pre-shared-key' command is used under tunnel-group ipsec-attributes, whereas on Cisco IOS routers, the equivalent is 'crypto isakmp key <key> address <peer-ip>' under global config. The ASA approach is more granular, allowing different keys per tunnel group. For IKEv2, the same command applies. On other platforms like Palo Alto or Fortinet, pre-shared keys are configured under IKE gateways or phase 1 proposals. ASA version differences: In ASA 8.4 and later, the command syntax remains consistent. The 'encrypted' keyword is particularly useful when migrating configurations between ASAs. Note that if 'service password-encryption' is enabled, the ASA will automatically encrypt the key when saving the configuration, but the 'encrypted' keyword allows you to input an already encrypted string directly.

Practice for the CCNA 200-301

Test your knowledge with hundreds of CCNA practice questions covering all exam domains.

Practice CCNA Questions