authentication pre-share
Specifies the authentication method as pre-shared keys for an ISAKMP policy, used to authenticate IKE phase 1 peers in IPsec VPNs.
authentication pre-shareWhen to Use This Command
- Configuring a site-to-site VPN between two branch offices using a shared secret.
- Setting up a remote access VPN where the remote user and VPN gateway share a pre-configured key.
- Establishing a VPN tunnel with a third-party vendor that requires pre-shared key authentication.
- Quickly deploying a VPN test lab without needing a PKI infrastructure.
Command Examples
Basic pre-share authentication configuration
crypto isakmp policy 10
authentication pre-sharecrypto isakmp policy 10 hash sha authentication pre-share group 2 lifetime 86400
The 'authentication pre-share' command sets the authentication method to pre-shared keys. The output shows the full policy configuration: hash algorithm SHA, authentication pre-share, Diffie-Hellman group 2, and lifetime of 86400 seconds (24 hours).
Verifying ISAKMP policy authentication
show crypto isakmp policyGlobal IKE policy
Protection suite of priority 10
encryption algorithm: AES - Advanced Encryption Standard (256 bit keys).
hash algorithm: Secure Hash Standard
authentication method: Pre-Shared Key
Diffie-Hellman group: #2 (1024 bit)
lifetime: 86400 seconds, no volume limitThe 'show crypto isakmp policy' output displays the configured policies. The 'authentication method: Pre-Shared Key' line confirms that pre-share authentication is set. Other fields show encryption, hash, DH group, and lifetime.
Understanding the Output
The 'authentication pre-share' command itself produces no output; it simply sets the authentication method in the ISAKMP policy configuration. To verify, use 'show crypto isakmp policy'. The output lists each configured policy with its priority. Key fields: 'encryption algorithm' (e.g., AES-256), 'hash algorithm' (e.g., SHA), 'authentication method' (should show 'Pre-Shared Key'), 'Diffie-Hellman group' (e.g., #2), and 'lifetime' in seconds. Ensure the authentication method matches the peer's configuration; mismatches cause IKE negotiation failures. A common issue is forgetting to set the pre-shared key globally with 'crypto isakmp key' command, which is required for pre-share authentication to work.
CCNA Exam Tips
CCNA exam tip: The 'authentication pre-share' command is configured under ISAKMP policy, not globally. Remember the order: encryption, hash, authentication, group, lifetime.
CCNA exam tip: Pre-shared keys are less secure than certificate-based authentication but simpler to configure. The exam may test your knowledge of when to use each.
CCNA exam tip: You must also configure a matching pre-shared key using 'crypto isakmp key' for the peer; otherwise, authentication fails even if the policy is correct.
CCNA exam tip: The default authentication method is 'rsa-sig' (RSA signatures). If you don't specify 'pre-share', the router will use RSA, which requires certificates.
Common Mistakes
Mistake: Forgetting to configure the pre-shared key with 'crypto isakmp key' after setting authentication pre-share. Consequence: IKE phase 1 fails with 'invalid authentication method' or 'no pre-shared key' errors.
Mistake: Using 'authentication pre-share' but the peer uses a different method (e.g., rsa-sig). Consequence: IKE negotiation fails due to policy mismatch.
Mistake: Configuring authentication pre-share in the wrong ISAKMP policy or not matching the peer's policy parameters (encryption, hash, group). Consequence: No matching policy found, tunnel does not come up.
Related Commands
Practice for the CCNA 200-301
Test your knowledge with hundreds of CCNA practice questions covering all exam domains.
Practice CCNA Questions