IKE Main Mode Authentication can be either with Kerberos, certificates or shared key. If Kerberos is selected, it's the computer password that is used. An encrypted copy of the password is stored in the Kerberos database on every domain controller. I know of no attack which can determine this key. Even the famed "Lophtcrack" (now produced as LC4) does not crack computer account passwords.
The computer keeps another encrypted copy of this password in the LSA secrets. If authentication is with certificates, each computer will have to have a certificate.
As is normal, the public key of the key pair is stored with the certificate in the local computer certificate store. You can use the MMC snap-in, "Certificates" to examine the certificates and import/export certificates and private keys. Click here for more information on certificate stores.
If the authentication is by shared secret, you can view the secret by viewing the IPsec policy. It can also be viewed by using troubleshooting tools. KB articles Q257225Q259335 provide more information on troubleshooting tools.
You also ask about the keys used for encryption. As you know, a master key is created during Phase I or Main Mode. This key is never passed across the network, but is used in Phase II or Quick Mode to generate the session keys. Depending on the settings in the IPsec policy, the master key may be regenerated during or after multiple sessions, for each session, or within the session. Session keys are also generated depending on settings in the policy. These keys are not viewable; they are not passed across the network and thus cannot be captured. I am unaware of any attack that recovers these keys from the computer and thus makes them "viewable."
Dig deeper on Windows legacy operating systems
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.