Configuring Peer Public Keys Without Digital Certificates
During IKE negotiations, peers exchange public keys to authenticate each other's identity and to ensure that IKE SAs are established with the intended party. Typically, public keys are exchanged in messages containing an X.509v3 digital certificate. As an alternative, however, you can configure and exchange peer public keys and use them for RSA authentication without having to obtain a digital certificate.
To configure and exchange peer public keys without obtaining a digital certificate:
- Generate the RSA key pair on the router.
- In your IKE policy, set the authentication method to RSA signature.
- Display the router's public key.
host1(config)#ipsec key generate rsa 1024
Please wait...
IPsec Generate Keys complete
host1(config)#ipsec ike-policy-rule 1
host1(config-ike-policy)#authentication rsa-sig
host1(config-ike-policy)#exit
host1(config)#exit
 |
NOTE: For more information about setting up IKE policies, see Defining an IKE Policy in Chapter 6, Configuring IPSec. |
host1#show ipsec key mypubkey rsa
30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181 00daaa65
8082ac0a ec42e552 10e3489b 37463ed8 9bfa2541 f46a7b30 0e908749 5b652ae5
ae604e9a 81bc3268 270e7f68 69ffd2a8 be268afa 92849fd0 4e8c96be 3eddf1c2
12d9fe7a 68e8507c 99b59ff3 bb0c3942 b0a90c76 3ae3acbb 4a777037 31527ea0
23693bdc e5393c6f 2ef3e7e7 bb1a308e d42ce0ad a095273e d718384c dd020301
0001
For information about the format of an RSA public key, see Public Key Format.
- Use the output from the show ipsec key mypubkey rsa command to provide information to the remote peer about the public key configured on the E-series router. Providing this information enables the remote peer to enter the router's public key on its own system.
The show ipsec key mypubkey rsa command enables you to display the contents of the router's public key without having to obtain a digital certificate.
For example, you might receive an e-mail message from the remote peer containing the public key information.
You must identify the remote peer associated with the public key by specifying the remote peer's IP address, fully qualified domain name (FQDN), or FQDN preceded by an optional user@ specification. For example, the following command enables you to enter the peer public key for the remote peer identified by IP address 192.168.15.5.
host1(config)#ipsec key pubkey-chain rsa address 192.168.15.5
host1(config-peer-public-key)#
- Enter the peer public key that you obtained in Step 5.
- (Optional) Verify the peer public key configuration.
host1(config-peer-public-key)#key-string "
Enter remainder of text message. End with the character '"'.
30820122 300d0609 2a864886 f70d0101 01050003 82010f00 3082010a 02820101
00effc6f d91cbf23 5de66454 420db27a 0bacfc92 63a54e60 587c3e1c 951be4e8
09e7d130 da924040 0ceb797c ddc0df10 dabeb3fc a17145ff 6e7ff977 68ac0698
748d30f4 478252ed 29bf3e4e a6657cc8 cfaf1de4 e7dc2473 33231286 0ecfb15b
4aac505b 255f17ca faf884ca f0402022 5ad6f446 e0f3fb1e d48bbc00 5d4fe9b6
35f88b53 1bf4f07c b168e47b b7143181 5bad4586 0abb7b03 6dba9668 b45e3714
0b64ca82 3a53f69b 357a7d41 f512da37 71901b14 08212648 277f6d38 6bc34164
8c3ac8d4 d9c8baac dc006dac 8c09ce37 44a5d124 b69fec24 df0fc3a8 98e6efc8
5a1d65eb e4b832ba adc26c63 1996fe37 e797ecff 6e2acdd6 0981ef2c 3dd2f506
01020301 0001"
host1#show ipsec key pubkey-chain rsa address 192.168.15.5
30820122 300d0609 2a864886 f70d0101 01050003 82010f00 3082010a 02820101
00effc6f d91cbf23 5de66454 420db27a 0bacfc92 63a54e60 587c3e1c 951be4e8
09e7d130 da924040 0ceb797c ddc0df10 dabeb3fc a17145ff 6e7ff977 68ac0698
748d30f4 478252ed 29bf3e4e a6657cc8 cfaf1de4 e7dc2473 33231286 0ecfb15b
4aac505b 255f17ca faf884ca f0402022 5ad6f446 e0f3fb1e d48bbc00 5d4fe9b6
35f88b53 1bf4f07c b168e47b b7143181 5bad4586 0abb7b03 6dba9668 b45e3714
0b64ca82 3a53f69b 357a7d41 f512da37 71901b14 08212648 277f6d38 6bc34164
8c3ac8d4 d9c8baac dc006dac 8c09ce37 44a5d124 b69fec24 df0fc3a8 98e6efc8
5a1d65eb e4b832ba adc26c63 1996fe37 e797ecff 6e2acdd6 0981ef2c 3dd2f506
01020301 0001
authentication
- Use to specify in the ISAKMP/IKE policy that the router uses the RSA signature authentication method for IKE negotiations.
- Example
host1(config-ike-policy)#authentication rsa-sig
ipsec ike-policy-rule
- Use to access IPSec IKE Policy Configuration mode to define an ISAKMP/IKE policy.
- For information about how to use this command, see ipsec ike-policy-rule.
- Example
host1(config)#ipsec ike-policy-rule 2
host1(config-ike-policy)#
ipsec key generate
host1(config)#ipsec key generate rsa 2048
Please wait.................................................
..........................
IPsec Generate Keys complete
ipsec key pubkey-chain rsa
- Use to access IPSec Peer Public Key Configuration mode to configure the public key for a remote peer with which you want to establish IKE SAs.
- The ipsec key pubkey-chain rsa command enables you to manually enter the public key data for the remote peer without having to obtain a digital certificate.
- To specify the IP address of the remote peer associated with the public key, use the address keyword followed by the IP address, in 32-bit dotted decimal format.
- To specify the identity of the remote peer associated with the public key, use the name keyword followed by either:
- The fully qualified domain name (FQDN)
- The FQDN preceded by an optional user@ specification; this is also referred to as user FQDN format
- The FQDN and user FQDN identifiers are case-sensitive.
- To ensure that the public key is associated with the correct remote peer, the router requires an exact match for the identifier string. For example, a public key for user FQDN mjones@sales.company_abc.com does not match a public key for FQDN sales.company_abc.com.
- From IPSec Peer Public Key Configuration mode, use the key-string command to enter the peer public key data. For information about how to use this command, see key-string.
- Example 1—Enables you to configure the public key for a remote peer with IP address 192.168.50.10
host1(config)#ipsec key pubkey-chain rsa address 192.168.50.10
host1(config-peer-public-key)#
host1(config)#ipsec key pubkey-chain rsa name sales.company_xyz.com
host1(config-peer-public-key)#
host1(config)#ipsec key pubkey-chain rsa name tsmith@sales.company_xyz.com
host1(config-peer-public-key)#
key-string
- Use to manually enter a 1024-bit or 2048-bit public key for a remote peer with which you want to establish IKE SAs.
- The key string represents the public key hexadecimal data that includes the ASN.1 object identifier and sequence tags for RSA encryption.
- Enter an alphanumeric key string with a maximum of 1999 characters.
- You must use the same character (for example, " or x) at the beginning and end of the string to delimit the key string. The delimiter character is case-sensitive and must not occur anywhere else in the key string.
- For information about the format of an RSA public key, see Public Key Format.
- Example 1—Configures the public key for a remote peer with IP address 192.168.50.10, using " (double quotation marks) as the key string delimiter character
host1(config)#ipsec key pubkey-chain rsa address 192.168.50.10
host1(config-peer-public-key)#key-string "
Enter remainder of text message. End with the character '"'.
30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181 00d3a447
0b997844 213de4ae 13a2c09b f74051cd d404a187 c5e86867 d525cb6e 571a44f2
92bac7e8 bb282857 fb20357c d94ec241 b651596c 350dd770 6853526b c95e60c1
52ec06ce 094882a7 4a7275a6 af1b738f 29d1124d 21e49b2a 3b0b7f2f fe31f0cc
178ddbfe a587a7a9 83aa0601 e86e7de4 3ca78f60 89a758bf 4c1247ba cb020301
0001"
host1(config)#ipsec key pubkey-chain rsa name sales.company_xyz.com
host1(config-peer-public-key)#key-string '
Enter remainder of text message. End with the character '''.
30820122 300d0609 2a864886 f70d0101 01050003 82010f00 3082010a 02820101
00c03cc6 0bad55ea b4f8a01f 5cf69de5 f03185e2 1338b5cb fa8418c3 6cbe1a77
bfefba5b 7a8f0ac2 6e2b223b 11e3c316 a30f7fb0 7bd2ab8a a614bb3d 2fce97bf
d6376467 0d5d1a16 d630c173 3ed93434 e690f355 00128ffb c36e72fa 46eae49a
5704eabe 0e34776c 7d243b8b fcb03c75 965c12f4 d68c6e63 33e0207c a985ffff
2422fb53 23d49dbb f7fd3140 a7f245ee bf629690 9356a29c b149451a 691a2531
9787ce37 2601bdf9 1434b174 4fd21cf2 48e10f58 9ac89df1 56e360b1 66fb0b3f
27ad6396 7a491d74 3b8379ea be502979 8f0270b2 6063a474 fadc5f18 f0ca6f7a
ddea66c7 cf637598 9cdb5087 0480af29 b9c174ab 1b1d033f 67641a8c 5918ddce
1f020301 0001'
host1(config)#ipsec key pubkey-chain rsa name tsmith@sales.company_xyz.com
host1(config-peer-public-key)#key-string x
Enter remainder of text message. End with the character 'x'.
30819f30 0d06092a 864886f7 0d010101 05000381 8d003081 89028181 00bcc106
8694a505 0b92433e 4c27441e 3ad8955d 5628e2ea 5ee34b0c 6f82c4fd 8d5b7b51
f1a3c94f c4373f9b 70395011 79b4c2fb 639a075b 3d66185f 9cc6cdd1 6df51f74
cb69c8bb dbb44433 a1faac45 10f52be8 d7f2c8cd ad5172a6 e7f14b1c bba4037b
29b475c6 ad7305ed 7c460779 351560c6 344ccd1a 35935ea3 da5de228 bd020301
0001x