I have a network with Cisco components. I would like to manage them only over IPSEC (I am working with asymmetric model - x509 certificates with PKI).
So I would like that only computers which has the correct private key could manage the cisco devices (via telnet/ssh) and if computer doesn't have the private key, it can't open the vpn tunnel and it will not be accessible to a management interface (so, even if someone has password for the device, he can't connect to the device).
SSH doesn't support x509 certificates so, using ssh keys is not enough.
For example (See the file example.PNG):
A,B,C - cannot manage each other (cannot even access to telenet/ssh). D can manage them with private key after he opens an ipsec tunnel (and of course anyone that will receive the private key, can open an ipsec tunnel and manage the devices via telnet/ssh).
Do you know a way to do it?
I didn't get your complete question what is your meaning by open VPN connection? Here is a guide for SSH public key authentication:
open VPN connection = open IPSEC connection.
SSH doesn't support PKI (only private and public keys).
In addition, telenet doesn't support encryption so, I am searching for solution that is suitable for all types of management protocols.