regarding the RSA in IPSec Technology

Hi Friends

i have confusion regarding the RSA usage in IPSec configuration. Please help me differentiate between RSA encryption and RSA Signature when configuring the IPSec authentication in Cisco IOS.


  • Hi,


    I believe that your question refers to the usage of authentication rsa-encr and authentication rsa-sig in the Phase 1 policies. If they do, here is the difference between them:

    1. authentication rsa-sig simply specifies the use of certificates for peer authentication.The biggest advantage of using RSA signatures over RSA encrypted nonces is that RSA signatures provide nonrepudiation for the IKE negotiation.

    2. authentication rsa-encr is an authentication method wherein you can manually specify the public RSA keys of the peer on each router, it is quite similar to pre-shared keys in the way that the configuration is manual.

    Here is a link to manual configuration of RSA encrypted nonces:

    However, since this task is elaborate, I've figured out a way to automatically share RSA keys between peers, here's how:

    To make that the IKE exchange happens, specify two
    policies: a higher-priority policy with RSA encrypted nonces and a
    lower-priority policy with RSA signatures. When IKE negotiations occur,
    RSA signatures will be used the first time because the peers do not yet
    have each other's public keys. Then future IKE negotiations can use RSA
    encrypted nonces because the public keys will have been exchanged. 



  • -is this you mauje from pec


Sign In or Register to comment.