How to recover a VPN key
While troubleshooting a VPN connection I wanted to confirm that the pre-shared key is identical on both ends. In order to do so I used a cool, relatively unknown command that allow you to recover the pre-shared key:
Using the more system:running-config command result in clear text pre-shared key:
tunnel-group tunnel_name ipsec-attributes
While this is the easiest way, you might encounter a device with an old version (pre 7.x) that does not support this command. Don’t worry, there are more opitons. using TFTP you can copy the config to your TFTP server which saves the password in clear text. This is the required command:
copy running-config tftp:
You can also use the less known write net command for the same task. In both cases, the text file containing the configuration on the TFTP server will show the pre-shared key in clear text.
By the way, older ASDM versions will show the passwords in clear text but I hope you’re not using those old versions