Hello,
I have a question regarding use of rsa key pairs for authentication when setting up IPsec tunnels.
I have a head-end router and multiple remote routers which are administered by multiple third parties.
I want to setup a different key pair on my head-end router for each remote router so that I can regenerate key pairs between the head-end router and one of the remote routers without impacting the other remote routers.
I can configure multiple named key pairs on my head-end router, but can't find a way of associating each pair to a specific remote router.
The head-end router tries to use the "default" private key, not the named private key as per the following:
xxxxx#sho cry is sa
dst src state conn-id slot
xxxx#ping x.x.x.x
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.20.248.86, timeout is 2 seconds:
Can not select private key (SYD01RJET2.anzsa.fdi.1dc.com).....
Success rate is 0 percent (0/5)
SYD01RJET2#sho log
<cut>
Mar 30 09:43:31.801: ISAKMP (0:1): using the default keypair to sign
Mar 30 09:43:31.801: ISAKMP (0:1): keypair not found
xxxxx#sho cry key my rs
% Key pair was generated at: 15:02:27 EST Mar 29 2004
Key name: xxxxx
Usage: General Purpose Key
Key is not exportable.
Key Data:
30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
00B0C135 30789626 14EB5872 2699F537 6849E7A1 EC35618A 5047DAF7 58F853DC
<cut>
SYD01RJET2#sho run
<cut>
crypto key pubkey-chain rsa
named-key xxxx
address x.x.x.x
key-string
xxxxxxx
<cut>
Any ideas/suggestions appreciated.
Thanks in advance