IKE Authentication Using Public Keys Without Digital Certificates

During IKE negotiations, peers exchange public keys to authenticate each other's identity and to ensure that IKE SAs are established with the intended party. Typically, public keys are exchanged in messages containing an X.509v3 digital certificate.

As an alternative to setting up digital certificates, you can configure and exchange public keys for IKE peers and use these keys for RSA signature authentication without having to obtain a digital certificate. This method offers the simplicity and convenience of using preshared key authentication without its inherent security risks.

With this method, you no longer need a digital certificate to do the following:

Configuration Tasks

To set up public keys and peer public keys without obtaining a digital certificate, you use router commands to perform the following tasks:

For instructions on setting up peer public keys without a digital certificate, see Configuring Peer Public Keys Without Digital Certificates.

Public Key Format

RSA encryption and authentication require the use of a public key on both the ERX router and on the remote peer with which the router seeks to establish IKE SAs.

The length of the public key can be 1024 bits or 2048 bits, and the format conforms to the RSA standard defined in RFC 3447—Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1 (February 2003).

The public key consists of three components:

In the following example of a 1024-bit public key, the first portion of the key (shown in bold typeface) represents the ASN.1 header information. The second portion of the key (shown in regular typeface) represents the RSA public key modulus. The third portion of the key (shown in bold typeface) represents the RSA public key exponent.

  30819F30 0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00A7E43C
  3E2D399F 34EF6E16 F84464A9 8A145997 CC7F34C8 3DFF8216 57780FE9 D5CE2717
  86239050 7A331044 EBA90120 EC13A78D C1B24285 333A9193 D94A59C8 492D8CB9
  A46403A4 37461E00 768CF45C 580211AC 72793764 51E3AB3C F9A6665E 562E3681
  F120405E 30235690 6FC093AA EB0FE956 51C38EE1 54D81E40 7687C387 07020301
  0001

For more information about the format of an RSA public key and about ASN.1 syntax, see RFC 3447—Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1 (February 2003).