VPN: RSA vs Pre-Shared

Thank you for your answers.

But It is not clear to me what are the differencies between pre-shared (the one I actually use) and the RSA-encr ?

I always do site-to-site gre+ipsec tunnels.

With rsa-encr, you manually enter the peer's public key into your local configuration.

With rsa-sig, you are using x.509 digital certificates (i.e.: reliance on Public Key Infrastructure).

The difference is scalability. If you had a large number of devices you would use rsa-sig.

For your needs, rsa-encr will be fine.

Best regards, News Reader

Elia Spad> Hello

When you first configure a device for SSH, or IPSec, you generate an RSA key pair (public and private keys).

To view "your" public keys:

router# sh crypto key mypubkey rsa

It is your public key that you are providing to the admin of your VPN peer. He will manually enter your public key into the crypto config on his end. Likewise, you will enter the public key of his device into your crypto config.

The resulting section of your config will look something like this:

crypto key pubkey-chain rsa named-key peer.domain.com encryption address aaa.bbb.ccc.ddd key-string XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXXXXX XXXXX quit

The "X"s will of course be hexadecimal numbers.

To view the public keys of "others", that are presently in your config:

router# sh crypto key pubkey-chain rsa

Hopefully you are familiar with the basics of public key encryption. When you encrypt something with the peer's public key, only he can decrypt it with his private key, which he must closely guard.

Best regards, News Reader

Elia Spad> Thank you for your answers.

Hello thank you for your really complete answers.

So... the easisest to use is the pre-shared (not rsa type).

But what is the most secure? If i put this method on a cleartext wireless link (the one explained in the post above) which will be less prone to man in the middle attack?

"News Reader" ha scritto nel messaggio news: snipped-for-privacy@domain.null...

Pre-shared keys are the least secure, and I don't use them for site-to-site VPNs.

I use rsa-encr or rsa-sig, both are secure.

With either of the RSA methods, you will need to generate an RSA key pair on each router. This is easily done; just locate and follow the procedure for enabling SSH. If you are currently using SSH or HTTPS to access the router, the keys are already there. Refer to my earlier post for commands to view a key pair.

RSA-SIG requires a private key infrastructure (PKI), and is primarily intended to address issues of scalability.

RSA-ENCR requires manual entry of the peer's public key into your local config.

Both RSA methods are based on the "same" key pair.

Use RSA-ENCR rather than pre-shared keys to improve your security posture. Pursue RSA-SIG if you have a large number of IPSec tunnel endpoints to lessen the administrative overhead.

If you are worried about man in the middle attacks, concern yourself with:

- The size of your RSA keys (modulus)

- Lifetimes of the ISAKMP SA, and IPSec SAs

- Choice of authentication and encryption transforms for ISAKMP and IPSec

- DFH Group

- PFS (Perfect Forward Secrecy)

... all of which are determined by your configuration choices.

Best regards, News Reader

Elia Spad> Hello

Thanks again for your really helpful answer. Since in one of the end of vpn I will change the routers, at the moment I will keep pre-shared

then I will switch to the rsa-encr

Thank you a lot

"News Reader" ha scritto nel messaggio news: snipped-for-privacy@domain.null...