Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Multiple rsa key pairs on head-end router


I have a question regarding use of rsa key pairs for authentication when setting up IPsec tunnels.

I have a head-end router and multiple remote routers which are administered by multiple third parties.

I want to setup a different key pair on my head-end router for each remote router so that I can regenerate key pairs between the head-end router and one of the remote routers without impacting the other remote routers.

I can configure multiple named key pairs on my head-end router, but can't find a way of associating each pair to a specific remote router.

The head-end router tries to use the "default" private key, not the named private key as per the following:

xxxxx#sho cry is sa

dst src state conn-id slot

xxxx#ping x.x.x.x

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:

Can not select private key (

Success rate is 0 percent (0/5)

SYD01RJET2#sho log


Mar 30 09:43:31.801: ISAKMP (0:1): using the default keypair to sign

Mar 30 09:43:31.801: ISAKMP (0:1): keypair not found

xxxxx#sho cry key my rs

% Key pair was generated at: 15:02:27 EST Mar 29 2004

Key name: xxxxx

Usage: General Purpose Key

Key is not exportable.

Key Data:

30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101

00B0C135 30789626 14EB5872 2699F537 6849E7A1 EC35618A 5047DAF7 58F853DC


SYD01RJET2#sho run


crypto key pubkey-chain rsa

named-key xxxx

address x.x.x.x




Any ideas/suggestions appreciated.

Thanks in advance


Re: Multiple rsa key pairs on head-end router

Regarding "Can not select private key" message, this would be a problem if the RS key pairs were generated and the CA server was authenticated before enrolling

CreatePlease login to create content