Hello,

I have a question regarding use of rsa key pairs for authentication when setting up IPsec tunnels.

I have a head-end router and multiple remote routers which are administered by multiple third parties.

I want to setup a different key pair on my head-end router for each remote router so that I can regenerate key pairs between the head-end router and one of the remote routers without impacting the other remote routers.

I can configure multiple named key pairs on my head-end router, but can't find a way of associating each pair to a specific remote router.

The head-end router tries to use the "default" private key, not the named private key as per the following:

xxxxx#sho cry is sa

dst src state conn-id slot

xxxx#ping x.x.x.x

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.20.248.86, timeout is 2 seconds:

Can not select private key (SYD01RJET2.anzsa.fdi.1dc.com).....

Success rate is 0 percent (0/5)

SYD01RJET2#sho log

<cut>

Mar 30 09:43:31.801: ISAKMP (0:1): using the default keypair to sign

Mar 30 09:43:31.801: ISAKMP (0:1): keypair not found

xxxxx#sho cry key my rs

% Key pair was generated at: 15:02:27 EST Mar 29 2004

Key name: xxxxx

Usage: General Purpose Key

Key is not exportable.

Key Data:

30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101

00B0C135 30789626 14EB5872 2699F537 6849E7A1 EC35618A 5047DAF7 58F853DC

<cut>

SYD01RJET2#sho run

<cut>

crypto key pubkey-chain rsa

named-key xxxx

address x.x.x.x

key-string

xxxxxxx

<cut>

Any ideas/suggestions appreciated.

Thanks in advance