Hello I am planning to do a lan-to-lan vpn but I was wondering about the differencies in security from pre-sharedkey and the RSA method, in the IOS I got two different RSA:
When you first configure a device for SSH, or IPSec, you generate an RSA key pair (public and private keys).
To view "your" public keys:
router# sh crypto key mypubkey rsa
It is your public key that you are providing to the admin of your VPN peer. He will manually enter your public key into the crypto config on his end. Likewise, you will enter the public key of his device into your crypto config.
The resulting section of your config will look something like this:
To view the public keys of "others", that are presently in your config:
router# sh crypto key pubkey-chain rsa
Hopefully you are familiar with the basics of public key encryption. When you encrypt something with the peer's public key, only he can decrypt it with his private key, which he must closely guard.
So... the easisest to use is the pre-shared (not rsa type).
But what is the most secure? If i put this method on a cleartext wireless link (the one explained in the post above) which will be less prone to man in the middle attack?
"News Reader" ha scritto nel messaggio news: snipped-for-privacy@domain.null...
Pre-shared keys are the least secure, and I don't use them for site-to-site VPNs.
I use rsa-encr or rsa-sig, both are secure.
With either of the RSA methods, you will need to generate an RSA key pair on each router. This is easily done; just locate and follow the procedure for enabling SSH. If you are currently using SSH or HTTPS to access the router, the keys are already there. Refer to my earlier post for commands to view a key pair.
RSA-SIG requires a private key infrastructure (PKI), and is primarily intended to address issues of scalability.
RSA-ENCR requires manual entry of the peer's public key into your local config.
Both RSA methods are based on the "same" key pair.
Use RSA-ENCR rather than pre-shared keys to improve your security posture. Pursue RSA-SIG if you have a large number of IPSec tunnel endpoints to lessen the administrative overhead.
If you are worried about man in the middle attacks, concern yourself with:
- The size of your RSA keys (modulus)
- Lifetimes of the ISAKMP SA, and IPSec SAs
- Choice of authentication and encryption transforms for ISAKMP and IPSec
- DFH Group
- PFS (Perfect Forward Secrecy)
... all of which are determined by your configuration choices.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.