I have an IPSec Tunnel running between a 2851 and an 1841 using Pre-Shared Keys. I would like to use RSA-Signature authentication as we expand into more tunnels with more sites.
I created a key-pair using:
crypto key generate rsa general-keys modulus 2048 on each router.
I then followed the procedure for creating the trust point and enrolled each router with the CA. I successfully authenticated the CA and obtained certificates for the routers. The IKE Security Protocol document states that "RSA Signatures requires that each peer has the remote peer's public signature Key"
I can display each router's public key with the "sh crypto key mypubkey rsa" command and then attempt to add the peer's public key using "crypto key public-chain rsa" When I get to the stage where I am asked to:
Enter a public key as a hexidecimal number: I paste the peer's key, however it does not take the full key. I had first copied the key into a text editor and removed the spaces and line breaks.
Is this the correct procedure for exchanging public keys? Is a modulus of 2048 too long?
I found the answer to my problem. After specifying the key-string command, you can enter a return. So I pasted the key in sections with a return after each section and then a quit after it was all pasted.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...