Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

You may experience some slow load times, errors, and slight inconsistencies. We ask for your patience as we finalize the launch. Thank you.

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our beta test area to get started.

New Member

Specifying Peer RSA Public Keys

I have an IPSec Tunnel running between a 2851 and an 1841 using Pre-Shared Keys. I would like to use RSA-Signature authentication as we expand into more tunnels with more sites.

I created a key-pair using:

crypto key generate rsa general-keys modulus 2048 on each router.

I then followed the procedure for creating the trust point and enrolled each router with the CA. I successfully authenticated the CA and obtained certificates for the routers. The IKE Security Protocol document states that "RSA Signatures requires that each peer has the remote peer's public signature Key"

I can display each router's public key with the "sh crypto key mypubkey rsa" command and then attempt to add the peer's public key using "crypto key public-chain rsa" When I get to the stage where I am asked to:

Enter a public key as a hexidecimal number: I paste the peer's key, however it does not take the full key. I had first copied the key into a text editor and removed the spaces and line breaks.

Is this the correct procedure for exchanging public keys? Is a modulus of 2048 too long?


  • Other Security Subjects
New Member

Re: Specifying Peer RSA Public Keys

I found the answer to my problem. After specifying the key-string command, you can enter a return. So I pasted the key in sections with a return after each section and then a quit after it was all pasted.