Configuring Peer Public Keys Without Digital Certificates

During IKE negotiations, peers exchange public keys to authenticate each other's identity and to ensure that IKE SAs are established with the intended party. Typically, public keys are exchanged in messages containing an X.509v3 digital certificate. As an alternative, however, you can configure and exchange peer public keys and use them for RSA authentication without having to obtain a digital certificate.

To configure and exchange peer public keys without obtaining a digital certificate:

  1. Generate the RSA key pair on the router.
    host1(config)#ipsec key generate rsa 1024 Please wait...IPsec Generate Keys complete
  2. In your IKE policy, set the authentication method to RSA signature.
    host1(config)#ipsec ike-policy-rule 1 host1(config-ike-policy)#authentication rsa-sig host1(config-ike-policy)#exit host1(config)#exit

    Note: For more information about setting up IKE policies, see Defining an IKE Policy in Configuring IPsec.

  3. Display the router's public key.
    host1#show ipsec key mypubkey rsa
     30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181 00daaa65
     8082ac0a ec42e552 10e3489b 37463ed8 9bfa2541 f46a7b30 0e908749 5b652ae5
     ae604e9a 81bc3268 270e7f68 69ffd2a8 be268afa 92849fd0 4e8c96be 3eddf1c2
     12d9fe7a 68e8507c 99b59ff3 bb0c3942 b0a90c76 3ae3acbb 4a777037 31527ea0
     23693bdc e5393c6f 2ef3e7e7 bb1a308e d42ce0ad a095273e d718384c dd020301
     0001 

    For information about the format of an RSA public key, see Public Key Format.

  4. Use the output from the show ipsec key mypubkey rsa command to provide information to the remote peer about the public key configured on the E Series router. Providing this information enables the remote peer to enter the router's public key on its own system.

    The show ipsec key mypubkey rsa command enables you to display the contents of the router's public key without having to obtain a digital certificate.

  5. Obtain the public key from the remote peer.

    For example, you might receive an e-mail message from the remote peer containing the public key information.

  6. Configure the public key for the remote IKE peer.
    1. Access IPsec Peer Public Key Configuration mode.

      You must identify the remote peer associated with the public key by specifying the remote peer's IP address, fully qualified domain name (FQDN), or FQDN preceded by an optional user@ specification. For example, the following command enables you to enter the peer public key for the remote peer identified by IP address 192.168.15.5.

      host1(config)#ipsec key pubkey-chain rsa address 192.168.15.5 host1(config-peer-public-key)#
    2. Enter the peer public key that you obtained in Step 5.
      host1(config-peer-public-key)#key-string " Enter remainder of text message. End with the character '"'.
       30820122 300d0609 2a864886 f70d0101 01050003 82010f00 3082010a 02820101
       00effc6f d91cbf23 5de66454 420db27a 0bacfc92 63a54e60 587c3e1c 951be4e8
       09e7d130 da924040 0ceb797c ddc0df10 dabeb3fc a17145ff 6e7ff977 68ac0698
       748d30f4 478252ed 29bf3e4e a6657cc8 cfaf1de4 e7dc2473 33231286 0ecfb15b
       4aac505b 255f17ca faf884ca f0402022 5ad6f446 e0f3fb1e d48bbc00 5d4fe9b6
       35f88b53 1bf4f07c b168e47b b7143181 5bad4586 0abb7b03 6dba9668 b45e3714
       0b64ca82 3a53f69b 357a7d41 f512da37 71901b14 08212648 277f6d38 6bc34164
       8c3ac8d4 d9c8baac dc006dac 8c09ce37 44a5d124 b69fec24 df0fc3a8 98e6efc8
       5a1d65eb e4b832ba adc26c63 1996fe37 e797ecff 6e2acdd6 0981ef2c 3dd2f506
       01020301 0001"
      

       

    3. (Optional) Verify the peer public key configuration.
      host1#show ipsec key pubkey-chain rsa address 192.168.15.5
      
       30820122 300d0609 2a864886 f70d0101 01050003 82010f00 3082010a 02820101
       00effc6f d91cbf23 5de66454 420db27a 0bacfc92 63a54e60 587c3e1c 951be4e8
       09e7d130 da924040 0ceb797c ddc0df10 dabeb3fc a17145ff 6e7ff977 68ac0698
       748d30f4 478252ed 29bf3e4e a6657cc8 cfaf1de4 e7dc2473 33231286 0ecfb15b
       4aac505b 255f17ca faf884ca f0402022 5ad6f446 e0f3fb1e d48bbc00 5d4fe9b6
       35f88b53 1bf4f07c b168e47b b7143181 5bad4586 0abb7b03 6dba9668 b45e3714
       0b64ca82 3a53f69b 357a7d41 f512da37 71901b14 08212648 277f6d38 6bc34164
       8c3ac8d4 d9c8baac dc006dac 8c09ce37 44a5d124 b69fec24 df0fc3a8 98e6efc8
       5a1d65eb e4b832ba adc26c63 1996fe37 e797ecff 6e2acdd6 0981ef2c 3dd2f506
       01020301 0001 

authentication

ipsec ike-policy-rule

ipsec key generate

ipsec key pubkey-chain rsa

key-string