I guess you have already noticed that the VPN pre-shared keys stay in plain text even after applying password encryption. Below you can find a short explanation on how to encrypt it and keep it all safe:
This is the VPN config before encryption:
******************************************************************
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key S3cr3tK3y! address 0.0.0.0 0.0.0.0
crypto isakmp invalid-spi-recovery
******************************************************************
This is the VPN config after encryption:
******************************************************************
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key 6 V\OfYXeLVIdCaeS`HHQINQMBf\UDiG address 0.0.0.0 0.0.0.0
crypto isakmp invalid-spi-recovery
******************************************************************
If you look at your config, you can’t see the key in plain text, right?
It is very simple to revert that. Check how:
Get into “conf t”, and:
key config-key password-encryption [master key]
password encryption aes
The “master key” is what the router will use to encrypt your pre-shared keys. If you do not type this when you submit the rest of the command the router will prompt you.
The passwords are not actually encrypted until you enter the second command. After the passwords are encrypted they cannot be unencrypted on the router. You can change the master key if you want to by re-issuing the first command. The router will require you to enter the original key.
You can remove the master key by running:
no key config-key password-encryption
However, any current passwords will be rendered useless. Since the master key is no longer available the router cannot decrypt the password.
Done, now you can keep the world a little bit “safer”!
[ You can also find more information in CISCO itself ]
Brain Knowledge 