How to create RSA Keys for IPSec

How to create RSA Keys for IPSec

Version 0.1 (02 May 2018)

Prepare RSA keys

In case Raw RSA keys will be used for the IPSec authentication then these keys need to be created before they can be used in the configuration later. Each RSA Key has a private key which needs to be stored in the NSS Database to which the RSA Key belongs and a public key which will be part of the configuration file, which is shared between the nodes.

Creating the RSA key and storing it in the NSS Database is very easy. For this on each individual node a RSA key needs to be created.

To create a new RSA Key with 4096 bite run the following command on each node.

ipsec newhostkey –bits 4096 --output /etc/ipsec/ipsec.d/.secrets

Example:

root@ng-east:~# ipsec newhostkey --output /etc/ipsec/ipsec.d/ng-east.secrets

Generated RSA key pair with CKAID 2dedf16dedf74614c7519e97c6fcef1baaf03bc4 was stored in the NSS database.

As a next step the public key needs to be extracted so that it can be used in the configuration file.

If the node is the West or Left node use the following command. The CKAID can be found as part of the previous command.

root@ng-west:~# ipsec showhostkey --left --ckaid 2dedf16ded… … … 6fcef

        # rsakey AQPADPksQ
        leftrsasigkey=0sAQO1Gr2MY41qhG…………….bbtc7lkT+TxtPBE7sSBWkHr1C5aalkYLwL9kfgK0i7w==

Both outputs can directly be copied into the connection configuration files. Below is an example for a Host to Host configuration with RSA Keys

Example /etc/ipsec/ipsec.d/host-to-host-rsa.conf

conn host-to-host-rsa
      connaddrfamily=ipv4
      auto=start
      authby=rsasig

      leftid=@West
      left=192.168.50.4
      leftrsasigkey=0sAQO1Gr2MY41qhG…………….bbtc7lkT+TxtPBE7sSBWkHr1C5aalkYLwL9kfgK0i7w==
      rightid=@East
      right=192.168.58.4
      rightrsasigkey=0Vaixy810IkQzUU+SmxA6O………..WORl0i3K43tZx9aakmMyvanRg7Bwz4R+ssDe4+MwsGP0=

Note: The RSA Keys have been shortened in the example to improve readability.


    • Related Articles

    • How to Configure IPSec Host to Host Tunnel with RSA Keys

      Version 0.1 (02 May 2018) Overview Host to Host configurations allow two nodes to establish a tunnel between them. The encrypted communication will be limited just to the two nodes involved. Figure 11: Host to Host Configuration Example Details Host ...
    • How to Configure IPSec Site to Site Tunnel with RSA Keys

      Version 0.1 (02 May 2018) Overview Site to Site Configurations are further extension to host to site configurations. Communication is in this case expanded between multiple subnet on both sites of the connection. Subnet and communication IP addresses ...
    • How to Configure IPSec Host to Site tunnel with RSA Keys

      Version 0.1 (02 May 2018)  Overview Host to Site configurations are very similar to Host to Host configurations, especially the authentication methods are the same. Added changes to the configurations are the values for rightsourceip and ...
    • IPSec VPN support

      Version 0.1 (02 May 2018) Virtual Private Network (VPN) Overview A Virtual Private Network (VPN) is used to provide a secure means of communication among remote computers across networks, such as the Internet or a public WAN in general. VPN creates ...
    • How to create Pre-shared Keys for IPSec

      Version 0.1 (02 May 2018) Prepare Pre-shared Keys In case Pre-shared Key will be used to authenticate IPSec tunnels, they need to be created on a Nodegrid system before they can be used. To create a Pre-Shared key on a Nodegrid use the below steps. ...