I've been setting up (dozens) VPNs between cisco routers, the PIX, and Netscreens. I understand how and why Public/Private keys work and what security functions they 'provide'. But, i do not yet understand how, or if, Pre-shared keys can duplicate the functions that Public/Private keys make possible.
Also, it seems to me, and cisco/IPSec device can generate it's own Public/Private key-pair, so, can 2 routers, or any cisco devices, transfer their Public Key to another device, over the wire ? Seems to me, one way to use Public/Private keys would be to be able to:
'get peer-pub-key (ip address)'
And then use this Public key with rsa in VPN configuration.
I would like to be able to use Public/Private Keys w/o a CA, as I'm starting to be of the opinion that a CA is good for a wesbite, but not for 'remote-office' tunneling-VPNs.