I have an IPSec Tunnel running between a 2851 and an 1841 using Pre-Shared Keys. I would like to use RSA-Signature authentication as we expand into more tunnels with more sites.
I created a key-pair using:
crypto key generate rsa general-keys modulus 2048 on each router.
I then followed the procedure for creating the trust point and enrolled each router with the CA. I successfully authenticated the CA and obtained certificates for the routers. The IKE Security Protocol document states that "RSA Signatures requires that each peer has the remote peer's public signature Key"
I can display each router's public key with the "sh crypto key mypubkey rsa" command and then attempt to add the peer's public key using "crypto key public-chain rsa" When I get to the stage where I am asked to:
Enter a public key as a hexidecimal number: I paste the peer's key, however it does not take the full key. I had first copied the key into a text editor and removed the spaces and line breaks.
Is this the correct procedure for exchanging public keys? Is a modulus of 2048 too long?