Crypto with RSA Key encryption

This article describes how to configure crypto isakmp with RSA encryption key on any WAN link; in this case all data will be transferred in encrypted form

Router-A#

Step -1:- Generating RSA key on Router -A

!
Router-A(config)#crypto key generate rsa
The name for the keys will be: Router-A.cisco.com
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [512]:512
Generating RSA keys...
[OK]
Router-A (config)#^Z
Router-A #

Step-2:- Getting RSA keys

!
Router-A#show crypto key mypubkey rsa
% Key pair was generated at: 07:07:43 GMT Aug 24 2009
Key name: Router-A.apac.nsroot.net
 Usage: Signature Key
 Key is not exportable.
 Key Data:
  305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00AC3177 72226C74
  DA8DCC07 E08069A9 AAC6BA13 454D8D93 AB1C6311 27FB38AA 270968FA 7631A8DF
  89FC3338 8A3BFEE1 43D6248A 4B6B9D01 655868F3 99D0326C C1020301 0001
% Key pair was generated at: 07:07:44 GMT Aug 24 2009
Key name: Router-A.apac.nsroot.net
 Usage: Encryption Key
 Key is not exportable.
 Key Data:                             (This key need to be used on Router-B as key string)
  305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00DF0E5E CCB99D7F
  A58E1563 C37B30F3 4F83E7B4 3CD2D84D FF962D20 F5BCAD3F 319E49DE D88B8A69
  1CFFF1F5 2ED5D79C 55C797C4 A8D8F3DA F821D535 2CB267A6 69020301 0001
% Key pair was generated at: 08:54:28 GMT Oct 21 2009
Key name: Router-A.apac.nsroot.net.server
 Usage: Encryption Key
 Key is not exportable.
 Key Data:
  307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00BEFFE0 41E6AD09
  7ECE23D7 10CAFE57 83B138BA C46C1A6F CCAC608F 8476387F C21CFA88 5A5D7C83
  7DAA69AD 129652E6 C6356679 6AA08301 87A28800 F4FCAE91 72DDF46E BD2AC73C
  FFCFD475 F7F5426B DE90BD16 1CDD59BB 61C31870 1B6973DA 71020301 0001

Step-3:- Configuration of crypto on Router-A

!
Router-A#
!
crypto key pubkey-chain rsa                   (Configuring RSA key with encryption)
 addressed-key 172.19.243.114 encryption
  address 172.19.243.114
  key-string                                              (Use encryption key showing on Router-B)
   305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00EADFD7 72D41D3C
   C3C0ED30 D7089485 3579FADC 665AB3C4 9978A23E 4E26F76B A67ADE68 702ABCB3
   D329E4C8 30331EF3 A6B7D57C B81FED38 ADAE534A A47A817B 9F020301 0001
  quit
!
crypto isakmp policy 20                           (Creating crypto isakmp policy)
 encr 3des                                                 (Defining encryption)
 authentication rsa-encr                            (Defining authentication)
 group 2                                                    (Defining isakmp group)
!
crypto ipsec transform-set citi-trans ah-sha-hmac esp-3des (Creating crypto transform-set)
!
crypto map TO_Router-B local-address Serial0/1/0 
                                                                (Creating crypto map and peering with neighbor device)
crypto map TO_Router-B 20 ipsec-isakmp         (Calling crypto isakmp policy)
 set peer 172.19.243.114                                      (Setting peering)
 set transform-set citi-trans                                  (Calling transform set)
 match address 102                                              (Calling access-list for interesting traffic)   
!
interface Serial0/1/0
ip address 172.19.243.113 255.255.255.252
crypto map TO_Router-B               (Applying crypto map on wan interface)
!
access-list 102 permit gre host 172.19.243.113 host 172.19.243.114 
                                                                     (Allowing gre host for interesting traffic)
access-list 102 permit ip host 172.19.243.113 host 172.19.243.114  
                                                                    (Allowing host for interesting traffic)
!

Router-B#

Step -1 :- Generating RSA key on Router -B

!
Router-B(config)#crypto key generate rsa
The name for the keys will be: Router-B.cisco.com
Choose the size of the key modulus in the range of 360 to 2048 for your
General Purpose Keys. Choosing a key modulus greater than 512 may take
a few minutes.
How many bits in the modulus [512]:512
Generating RSA keys...
[OK]
Router-B(config)#^Z
Router-B#

Step-2 :- Showing RSA keys

!
Router-B#sh crypto key mypubkey rsa
% Key pair was generated at: 21:34:07 GMT Aug 23 2009
Key name: Router-B.apac.nsroot.net
 Usage: Signature Key
 Key is not exportable.
 Key Data:
  305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00C3B2E3 9454DD46
  3B761D06 7777CBBD 8AFC307A E868F516 0B7771AF 72D610F6 84A81BF7 FCA9A7E3
  1EEC759A 64E8738E 89AEBD07 09121E09 4C6AD2B8 0D4B81A6 4B020301 0001
% Key pair was generated at: 21:34:08 GMT Aug 23 2009
Key name: Router-B.apac.nsroot.net
 Usage: Encryption Key
 Key is not exportable.
 Key Data:                  (This key need to be used on Router-B as key string)
  305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00EADFD7 72D41D3C
  C3C0ED30 D7089485 3579FADC 665AB3C4 9978A23E 4E26F76B A67ADE68 702ABCB3
  D329E4C8 30331EF3 A6B7D57C B81FED38 ADAE534A A47A817B 9F020301 0001
% Key pair was generated at: 11:03:41 GMT Oct 21 2009
Key name: Router-B.apac.nsroot.net.server
 Usage: Encryption Key
 Key is not exportable.
 Key Data:
  307C300D 06092A86 4886F70D 01010105 00036B00 30680261 00BA8B20 6D600EFF
  9D360B6A B0EC047D A248599E 32DC65F5 16D4511A 6D137571 4831F48A C054643B
  7E8DBB89 DE85885B C301334B A6E64112 7C32D4A4 64D718EE D3489817 4A371988
  859CD129 4BA7EBA4 EFD97852 7D6467AA E7254DB8 3879873D 4B020301 0001
!

Step-3:- Configuration of crypto on Router-A

!
Router-B#
!
 crypto key pubkey-chain rsa                               (Configuring RSA key with encryption)
 addressed-key 172.19.243.113 encryption
  address 172.19.243.113
  key-string                                               (Use encryption key showing on Router-A)
   305C300D 06092A86 4886F70D 01010105 00034B00 30480241 00DF0E5E CCB99D7F
   A58E1563 C37B30F3 4F83E7B4 3CD2D84D FF962D20 F5BCAD3F 319E49DE D88B8A69
   1CFFF1F5 2ED5D79C 55C797C4 A8D8F3DA F821D535 2CB267A6 69020301 0001
  quit
!
crypto isakmp policy 20                           (Creating crypto isakmp policy)
 encr 3des                                                 (Defining encryption)
 authentication rsa-encr                            (Defining authentication)
 group 2                                                    (Defining isakmp group)
!
crypto ipsec transform-set citi-trans ah-sha-hmac esp-3des (Creating crypto transform-set)
!
crypto map TO_Router-A local-address Serial0/1/0           
                                                                        (Creating crypto map and peering with neighbor device)
crypto map TO_Router-A 20 ipsec-isakmp    (Calling crypto isakmp policy)
 set peer 172.19.243.113                                 (Setting peering)
 set transform-set citi-trans                              (Calling transform set)
 match address 102                                          (Calling access-list for interesting traffic)   
!
interface Serial0/1/0
ip address 172.19.243.114 255.255.255.252
crypto map TO_Router-B                                             (Applying crypto map on wan interface)
!
access-list 102 permit gre host 172.19.243.114 host 172.19.243.113 
                                                                                      (Allowing gre host for interesting traffic)
access-list 102 permit ip host 172.19.243.114 host 172.19.243.113  
                                                                                      (Allowing host for interesting traffic)
!

Troubleshooting

Router-A#sh crypto isakmp sa   (To check active crypto sessions)
Router-A#sh crypto session       (To check active crypto sessions)
Router-A#sh crypto ipsec transform-set (To check transform-set)
Router-A#sh crypto key mypubkey rsa (To check the RSA key)
Router-A#debug crypto isakmp             (Step-by-Step troubleshooting)
Router-A#debug crypto ipsec                (Step-by-Step troubleshooting)
Router-A#debug crypto session             (Step-by-Step troubleshooting)