Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1582
Views
10
Helpful
4
Replies

Deploying ssh login on a router already running an IPSec tunnel

Go to solution
Jim Blake
Level 1
Level 1

‎11-19-2014 04:37 AM - edited ‎02-21-2020 07:56 PM

I have a bunch of routers which were deployed (by someone else!) with IPsec tunnels over the Internet back to the core network, but with telnet vty access. This has got to be updated so that only ssh is available for vty use.

Its easy enough to deploy ssh, but part of the task involves generating a crypto key, "crypto key generate rsa" etc. if I try to do the configuration without this command, I get an error message asking me to do it.

 

And there is the problem: when I generate a key, it somehow screws the existing IPsec tunnel. Worse yet, it doesn't do it immediately, it waits an indeterminate length of time, probably (I guess) until after the IPsec tunnel has been inactive for a period and stopped/started, so what I *think* is happening is that on re-initiation of the tunnel, it picks up the wrong key and the other end kills the link. The logs have nothing relevant in them, and I'm still trying to have the failure occur on a router that's running debug.

Has anyone tried to do this upgrade before? do we have to put ssh on first and then rebuild the IPsec tunnel config?

 

Thanks for any thoughts/comments

Jim

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ghostinthenet
Level 7
Level 7

‎11-19-2014 05:48 AM

If the IPSec VPN is using certificate authentication, regenerating RSA keys can be bad. Without knowing more about your IPSec configuration, I would say that the best approach would be to generate a key for SSH that will not interfere with it. Try something like this:

crypto key generate rsa modulus 2048 label RSA_Key_SSH
ip ssh rsa keypair-name RSA_Key_SSH

This will generate a new key that is independent of any existing keys and configure SSH to use it.

View solution in original post

4 Replies 4

Go to solution
ghostinthenet
Level 7
Level 7

‎11-19-2014 05:48 AM

If the IPSec VPN is using certificate authentication, regenerating RSA keys can be bad. Without knowing more about your IPSec configuration, I would say that the best approach would be to generate a key for SSH that will not interfere with it. Try something like this:

crypto key generate rsa modulus 2048 label RSA_Key_SSH
ip ssh rsa keypair-name RSA_Key_SSH

This will generate a new key that is independent of any existing keys and configure SSH to use it.

Go to solution
Jim Blake
Level 1
Level 1
In response to ghostinthenet

‎11-20-2014 03:01 AM

Thanks for the tip, Jody, I'll deploy your suggestion and get back to you with results...may be a day or so, problems can take time to evidence themselves, but I will get back. Also Thanks, Karsten, that's a useful document!

 

0 Helpful

Go to solution
Jim Blake
Level 1
Level 1
In response to Jim Blake

‎11-21-2014 06:21 AM

Deployed your solution and it worked perfectly! Thanks again Jody!

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP

‎11-19-2014 11:49 AM

Jody already told you the way how you can avoid problems. And for the rest of the SSH-config you can look at the following document: Guide to better SSH-Security

Customers Also Viewed These Support Documents