Configuring Peer Public Keys Without Digital Certificates

During IKE negotiations, peers exchange public keys to authenticate each other's identity and to ensure that IKE SAs are established with the intended party. Typically, public keys are exchanged in messages containing an X.509v3 digital certificate. As an alternative, however, you can configure and exchange peer public keys and use them for RSA authentication without having to obtain a digital certificate.

To configure and exchange peer public keys without obtaining a digital certificate:

Generate the RSA key pair on the router.
host1(config)#ipsec key generate rsa 1024 Please wait...IPsec Generate Keys complete
In your IKE policy, set the authentication method to RSA signature.
host1(config)#ipsec ike-policy-rule 1 host1(config-ike-policy)#authentication rsa-sig host1(config-ike-policy)#exit host1(config)#exit
Note: For more information about setting up IKE policies, see Defining an IKE Policy in Configuring IPsec.

Display the router's public key.

host1#show ipsec key mypubkey rsa
 30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181 00daaa65
 8082ac0a ec42e552 10e3489b 37463ed8 9bfa2541 f46a7b30 0e908749 5b652ae5
 ae604e9a 81bc3268 270e7f68 69ffd2a8 be268afa 92849fd0 4e8c96be 3eddf1c2
 12d9fe7a 68e8507c 99b59ff3 bb0c3942 b0a90c76 3ae3acbb 4a777037 31527ea0
 23693bdc e5393c6f 2ef3e7e7 bb1a308e d42ce0ad a095273e d718384c dd020301
 0001

For information about the format of an RSA public key, see Public Key Format.

Use the output from the show ipsec key mypubkey rsa command to provide information to the remote peer about the public key configured on the E Series router. Providing this information enables the remote peer to enter the router's public key on its own system.
The show ipsec key mypubkey rsa command enables you to display the contents of the router's public key without having to obtain a digital certificate.
Obtain the public key from the remote peer.
For example, you might receive an e-mail message from the remote peer containing the public key information.

Configure the public key for the remote IKE peer.

Access IPsec Peer Public Key Configuration mode.
You must identify the remote peer associated with the public key by specifying the remote peer's IP address, fully qualified domain name (FQDN), or FQDN preceded by an optional user@ specification. For example, the following command enables you to enter the peer public key for the remote peer identified by IP address 192.168.15.5.
host1(config)#ipsec key pubkey-chain rsa address 192.168.15.5 host1(config-peer-public-key)#

Enter the peer public key that you obtained in Step 5.

host1(config-peer-public-key)#key-string " Enter remainder of text message. End with the character '"'.

 30820122 300d0609 2a864886 f70d0101 01050003 82010f00 3082010a 02820101
 00effc6f d91cbf23 5de66454 420db27a 0bacfc92 63a54e60 587c3e1c 951be4e8
 09e7d130 da924040 0ceb797c ddc0df10 dabeb3fc a17145ff 6e7ff977 68ac0698
 748d30f4 478252ed 29bf3e4e a6657cc8 cfaf1de4 e7dc2473 33231286 0ecfb15b
 4aac505b 255f17ca faf884ca f0402022 5ad6f446 e0f3fb1e d48bbc00 5d4fe9b6
 35f88b53 1bf4f07c b168e47b b7143181 5bad4586 0abb7b03 6dba9668 b45e3714
 0b64ca82 3a53f69b 357a7d41 f512da37 71901b14 08212648 277f6d38 6bc34164
 8c3ac8d4 d9c8baac dc006dac 8c09ce37 44a5d124 b69fec24 df0fc3a8 98e6efc8
 5a1d65eb e4b832ba adc26c63 1996fe37 e797ecff 6e2acdd6 0981ef2c 3dd2f506
 01020301 0001"

(Optional) Verify the peer public key configuration.

host1#show ipsec key pubkey-chain rsa address 192.168.15.5

 30820122 300d0609 2a864886 f70d0101 01050003 82010f00 3082010a 02820101
 00effc6f d91cbf23 5de66454 420db27a 0bacfc92 63a54e60 587c3e1c 951be4e8
 09e7d130 da924040 0ceb797c ddc0df10 dabeb3fc a17145ff 6e7ff977 68ac0698
 748d30f4 478252ed 29bf3e4e a6657cc8 cfaf1de4 e7dc2473 33231286 0ecfb15b
 4aac505b 255f17ca faf884ca f0402022 5ad6f446 e0f3fb1e d48bbc00 5d4fe9b6
 35f88b53 1bf4f07c b168e47b b7143181 5bad4586 0abb7b03 6dba9668 b45e3714
 0b64ca82 3a53f69b 357a7d41 f512da37 71901b14 08212648 277f6d38 6bc34164
 8c3ac8d4 d9c8baac dc006dac 8c09ce37 44a5d124 b69fec24 df0fc3a8 98e6efc8
 5a1d65eb e4b832ba adc26c63 1996fe37 e797ecff 6e2acdd6 0981ef2c 3dd2f506
 01020301 0001

authentication

Use to specify in the ISAKMP/IKE policy that the router uses the RSA signature authentication method for IKE negotiations.
Example
host1(config-ike-policy)#authentication rsa-sig
Use the no version to restore the default authentication method, preshared keys.
See authentication.

ipsec ike-policy-rule

Use to access IPsec IKE Policy Configuration mode to define an ISAKMP/IKE policy.
For information about how to use this command, see ipsec ike-policy-rule .
Example
host1(config)#ipsec ike-policy-rule 2 host1(config-ike-policy)#
Use the no version to remove policies. If you do not include a priority number with the no version, all policies are removed.
See ipsec ike-policy-rule.

ipsec key generate

Use to generate a 1024-bit or 2048-bit RSA key pair.
Example
host1(config)#ipsec key generate rsa 2048 Please wait...........................................................................IPsec Generate Keys complete
There is no no version. To remove a key pair, use the ipsec key zeroize command.
See ipsec key generate.

ipsec key pubkey-chain rsa

Use to access IPsec Peer Public Key Configuration mode to configure the public key for a remote peer with which you want to establish IKE SAs.
The ipsec key pubkey-chain rsa command enables you to manually enter the public key data for the remote peer without having to obtain a digital certificate.
To specify the IP address of the remote peer associated with the public key, use the address keyword followed by the IP address, in 32-bit dotted decimal format.
To specify the identity of the remote peer associated with the public key, use the name keyword followed by either:
- The fully qualified domain name (FQDN)
- The FQDN preceded by an optional user@ specification; this is also referred to as user FQDN format
The FQDN and user FQDN identifiers are case-sensitive.
To ensure that the public key is associated with the correct remote peer, the router requires an exact match for the identifier string. For example, a public key for user FQDN mjones@sales.company_abc.com does not match a public key for FQDN sales.company_abc.com.
From IPsec Peer Public Key Configuration mode, use the key-string command to enter the peer public key data. For information about how to use this command, see key-string .
Example 1—Enables you to configure the public key for a remote peer with IP address 192.168.50.10
host1(config)#ipsec key pubkey-chain rsa address 192.168.50.10 host1(config-peer-public-key)#
Example 2—Enables you to configure the public key for a remote peer with the FQDN sales.company_xyz.com
host1(config)#ipsec key pubkey-chain rsa name sales.company_xyz.com host1(config-peer-public-key)#
Example 3—Enables you to configure the public key for a remote peer with the FQDN tsmith@sales.company_xyz.com
host1(config)#ipsec key pubkey-chain rsa name tsmith@sales.company_xyz.com host1(config-peer-public-key)#
Use the no version to remove the peer public key from the router.
See ipsec key pubkey-chain rsa.

key-string

Use to manually enter a 1024-bit or 2048-bit public key for a remote peer with which you want to establish IKE SAs.
The key string represents the public key hexadecimal data that includes the ASN.1 object identifier and sequence tags for RSA encryption.
Enter an alphanumeric key string with a maximum of 1999 characters.
You must use the same character (for example, “ or x) at the beginning and end of the string to delimit the key string. The delimiter character is case-sensitive and must not occur anywhere else in the key string.
For information about the format of an RSA public key, see Public Key Format.

Example 1—Configures the public key for a remote peer with IP address 192.168.50.10, using “ (double quotation marks) as the key string delimiter character

host1(config)#ipsec key pubkey-chain rsa address 192.168.50.10 host1(config-peer-public-key)#key-string " Enter remainder of text message. End with the character '"'.

 30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181 00d3a447
 0b997844 213de4ae 13a2c09b f74051cd d404a187 c5e86867 d525cb6e 571a44f2
 92bac7e8 bb282857 fb20357c d94ec241 b651596c 350dd770 6853526b c95e60c1
 52ec06ce 094882a7 4a7275a6 af1b738f 29d1124d 21e49b2a 3b0b7f2f fe31f0cc
 178ddbfe a587a7a9 83aa0601 e86e7de4 3ca78f60 89a758bf 4c1247ba cb020301
 0001"

Example 2—Configures the public key for a remote peer with the FQDN sales.company_xyz.com, using ' (single quotation mark) as the key string delimiter character

host1(config)#ipsec key pubkey-chain rsa name sales.company_xyz.com host1(config-peer-public-key)#key-string ' Enter remainder of text message. End with the character '''.

 30820122 300d0609 2a864886 f70d0101 01050003 82010f00 3082010a 02820101
 00c03cc6 0bad55ea b4f8a01f 5cf69de5 f03185e2 1338b5cb fa8418c3 6cbe1a77
 bfefba5b 7a8f0ac2 6e2b223b 11e3c316 a30f7fb0 7bd2ab8a a614bb3d 2fce97bf
 d6376467 0d5d1a16 d630c173 3ed93434 e690f355 00128ffb c36e72fa 46eae49a
 5704eabe 0e34776c 7d243b8b fcb03c75 965c12f4 d68c6e63 33e0207c a985ffff
 2422fb53 23d49dbb f7fd3140 a7f245ee bf629690 9356a29c b149451a 691a2531
 9787ce37 2601bdf9 1434b174 4fd21cf2 48e10f58 9ac89df1 56e360b1 66fb0b3f
 27ad6396 7a491d74 3b8379ea be502979 8f0270b2 6063a474 fadc5f18 f0ca6f7a
 ddea66c7 cf637598 9cdb5087 0480af29 b9c174ab 1b1d033f 67641a8c 5918ddce
 1f020301 0001'

Example 3—Configures the public key for a remote peer with the user FQDN tsmith@sales.company_xyz.com, using lowercase x as the key string delimiter character

host1(config)#ipsec key pubkey-chain rsa name tsmith@sales.company_xyz.com host1(config-peer-public-key)#key-string x Enter remainder of text message. End with the character 'x'.

 30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181 00bcc106
 8694a505 0b92433e 4c27441e 3ad8955d 5628e2ea 5ee34b0c 6f82c4fd 8d5b7b51
 f1a3c94f c4373f9b 70395011 79b4c2fb 639a075b 3d66185f 9cc6cdd1 6df51f74
 cb69c8bb dbb44433 a1faac45 10f52be8 d7f2c8cd ad5172a6 e7f14b1c bba4037b
 29b475c6 ad7305ed 7c460779 351560c6 344ccd1a 35935ea3 da5de228 bd020301
 0001x

There is no no version. Use the no version of the ipsec key pubkey-chain rsa command to remove the peer public key from the router.
See key-string.