|
Author
|
Topic: IPSec with RSA Encrypted NONCES
|
NewAgeQuanta
Specialist
Member # 32102
Member Rated:
|
posted June 16, 2012 04:56 PM
Guys,
Been revisiting using authentication rsa-encr for IKE phase 1.
I was able to get it to work but have some very pertinent questions.
Here was the scenario that worked:-
On both peers, RSA key-pairs were generated WITHOUT options.
"crypto key generate rsa"
Pretty much the default which creates a labeled key "hostname.domainname"
The public keys were displayed on the terminal using "show cry key mypubkey rsa" and pasted on the other router as an addressed key.
So far so good.
What I am having problems with is using any of the options during key generation, other than general-keys (which is essentially the default). Using usage-keys, encryption or label does not work. The first router that gets the encrypted payload (encrypted using its pasted public key on the sender) complains that it is unable to decrypt the payload.
%CRYPTO-6-IKMP_CRYPT_FAILURE
This pretty much means its not using the right private key to decrypt the message.
Anyway, does anybody know a resource that describes how to use custom keys to get this type of IKE working or if anybody knows from experience and has any pointers?
Thanks,
Nic
Posts: 73 | From: US | Registered: Mar 2012
| IP: Logged
|
|
NewAgeQuanta
Specialist
Member # 32102
Member Rated:
|
posted June 16, 2012 06:04 PM
After further experimentation, I take back some of the stuff I said above.
Essentially, it seemed very weird that general-keys were working and usage-keys, which is the same as general-keys but using separate pairs for signatures and encryption, were not working.
So I was able to get the configuration working with usage-keys.
What I am still unable to do is to use a key with a custom label. To get the config working, either with general or usage keys, I still have to generate the key sans a label.
So can it be done with a custom label or not?
Nic
Posts: 73 | From: US | Registered: Mar 2012
| IP: Logged
|
|
Kingsley Charles (CCSP, CCNP, CCIP)
Brainiac
Member # 29872
Member Rated:
|
posted June 17, 2012 12:11 AM
It should work with labels but never tried.
With regards
Kings
Posts: 887 | From: India | Registered: Jun 2010
| IP: Logged
|
|
theevilmuffin
I need a life
Member # 23191
Member Rated:
|
posted June 17, 2012 12:59 PM
what identity are you matching on?
you're not using vrf? I found that i needed to use a isakmp profile
Posts: 1065 | From: UK | Registered: Sep 2007
| IP: Logged
|
|
NewAgeQuanta
Specialist
Member # 32102
Member Rated:
|
posted June 17, 2012 01:29 PM
Evil,
When I initially did the post, I was using plain old crypto maps so no profile was needed.
Later, I did modify the config for VTI and was matching on addresses as identities. In this case, I found the need to use an ISAKMP profile with a keyring as well.
Nic
Posts: 73 | From: US | Registered: Mar 2012
| IP: Logged
|
|
NewAgeQuanta
Specialist
Member # 32102
Member Rated:
|
posted June 17, 2012 01:31 PM
BTW, I xposted this to another forum. Some interesting exchanges there. Not sure if we are allowed to use these links here but for the sake of spreading the wealth of knowledge, so to speak.
https://learningnetwork.cisco.com/thread/43926?tstart=0
Nic
Posts: 73 | From: US | Registered: Mar 2012
| IP: Logged
|
|
|
UBBFriend: Email this page to someone!
Printer-friendly view of this topic