cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
688
Views
5
Helpful
4
Replies

Will generating New SSH keys affect GET VPN traffic

Dakenrick
Level 1
Level 1

Hey,

I am trying to re-generate a separate key-pair for SSH. Some of the sites currently use the same key-pair for SSH and GET VPN. I want to have separate keys so the risk of accidental deletion is prevented for GET VPN keys. 

These are all Cisco IOS XE routers and switches. They are in production. We use PKI certificates for authentication on IKE phase 1.  Will regenerating separate SSH keys affect the GET VPN encrypted traffic? Or will it take network traffic in general?

1 Accepted Solution

Accepted Solutions

marce1000
VIP
VIP

 

 - Regenerating separate SSH keys for your Cisco IOS XE routers and switches should not affect the GET VPN encrypted traffic or take down network traffic in general. The SSH key pair is used for authentication to the device's command-line interface (CLI) and does not affect the encryption of the GET VPN traffic.

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

View solution in original post

4 Replies 4

I dont try before, but how same key-pair using for GET VPN and SSH ?

marce1000
VIP
VIP

 

 - Regenerating separate SSH keys for your Cisco IOS XE routers and switches should not affect the GET VPN encrypted traffic or take down network traffic in general. The SSH key pair is used for authentication to the device's command-line interface (CLI) and does not affect the encryption of the GET VPN traffic.

 M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

@marce1000 ,

Thanks for the reply. One more question.

Will updating the Identity certificate for an IOS XE switch or router cause traffic loss for GETVPN? 

I am updating the certificates for ISAKMP policy authentication to a cert signed by new CA intermediate server

@Dakenrick create a key pair with a label and then configure SSH or the VPN trustpoint to use that key pair, that way you know it will not conflict.

Example:

crypto key generate rsa modulus 2048 label SSH_RSA
!
ip ssh rsa keypair-name SSH_RSA

 or do the same for the VPN certificate.

crypto key generate rsa modulus 2048 label VPN_KEY
!
crypto pki trustpoint VPN_TRUSTPOINT
rsakeypair VPN_KEY

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: