11/27/2021

Crypto Key Generate Rsa Label

UPDATE: Please read my updated post regarding SSH on Cisco IOS.

If you want to generate RSA key pairs, use the crypto key generate rsa command: hostname/contexta(config)# crypto key generate rsa. If you do not use additional keywords, this command generates one general purpose RSA key pair. Because the key modulus is not specified, the default key modulus of 1024 is used. Cisco generate crypto key. Crypto key generate rsa general-keys label tokenkey1 storage usbtoken0: The following example specifies the redundancy keyword: Router(config)# crypto key generate rsa label MYKEYS redundancy. The name for the keys will be: MYKEYS Choose the size of the key modulus in the range of 360 to 2048 for your General Purpose.

On my previous blog post, I talked about one of the things a Network Engineer must do to harden Cisco routers and switches. Today, I am adding another one to the list. I will try to keep adding to this list to raise the importance of security.

As the title says, I am going to show you on how to enable SSH on Cisco IOS devices. The commands are pretty much the same in pretty much all of the IOS versions. If the commands listed here didn’t work, then use the IOS help menu.

The majority, if not all, of the people, know that Telnet sends data in clear text. That said, usernames and passwords are up for grabs. Imagine an unauthorized user logging into company’s Cisco IOS devices and deleting the configuration and rebooting them. When that happens, someone would be let go pretty soon.

To enable SSH on Cisco IOS, you need to have crypto feature in the IOS. If the IOS does not support crypto, then you’re out of luck. If you have a SMARTnet contract, I suggest you upgrade the IOS. For legacy hardware, the only choice is to upgrade it to a newer version. Please check Cisco Feature Navigator to check your IOS if it supports the crypto feature.

Enabling SSH on Cisco IOS

Without further delay, below are the commands to enable SSH on Cisco IOS. With this method, Cisco IOS requires the user to specify the host name and domain name.

Alternatively, Cisco IOS user could enable SSH without specifying the domain name, as shown below. In this case, I am using 4096-bit key size for the RSA keys.

While you don’t need to use the transport input ssh command, it is recommended to disable Telnet altogether. By default, line vty 0 to 15 has the command transport input all configured but not showed in the running configuration or startup configuration. That said, it will allow you to use either SSH or Telnet.

Final Words

Hopefully, this will be included in your standard configuration for all Cisco routers and switches that you have. Telnet is a considered a security risk, so enabling SSH will mitigate security risk on your network.

I hope this has been helpful and thank you for reading!

Are you ready to improve your network security?

Generate Rsa Key Pair

Let us answer more questions by contacting us. We’re here to listen and provide solutions that are right for you.

You might also like to read

Want to learn more about the basics of securing Cisco networks?

Disclosure

Generate Rsa Key Command

NetworkJutsu.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.

Most of the IPsec tunnels I see configured, both in labs and in the real world, rely on relatively weak preshared keys to establish the initial secure ISAKMP channel for key exchange between the IPsec peers (see my IPsec quick and dirty article for an example configuration). A much stronger solution is to use public/private key pairs distributed by a secure Public Key Infrastructure (PKI) Certificate Authority (CA). Unfortunately, deploying an enterprise PKI is no small undertaking, and many engineers are understandably hesitant about tying any aspect of network connectivity to the functionality of unrelated servers or services.

Fortunately, IOS allows for a comfortable middle ground, using manually distributed RSA encryption keys on routers. The 12.4T documentation has a pretty clear run-down of the steps required for such a setup. The example in this post will create an IPsec tunnel between R1 and R3 in the following topology.

Crypto key generate rsa modulus

First, we need to generate an RSA public/private key pair on both of the endpoint routers.

If this is your first time creating an RSA keypair on the router, you may see a log message indicating that SSH has been enabled. RSA keys are also used for securing SSH connections.

We can view the public key in our new keypair with the show crypto key mypubkey rsa command:

Crypto key generate rsa general-keys label

Note that I've neglected to properly configure the clock on the routers in my lab; when creating crypto keys in the real world, you want to first ensure the router's clock is accurate.

Both routers now have unique public and private keys. For these to be useful, we need to exchange the public keys between the routers so that R1 has a copy of R3's public key and vice versa. To do that, we create a public key chain on each router and manually copy the keys over.

At this prompt you can simply copy the key from the output of R3's terminal into R1's terminal. End by entering quit.

Crypto Key Generate Rsa Usage-keys Label Ssh Keys Modulus 768

We can confirm that the key was successfully entered on R1 by inspecting its public key chain:

Note that the hex string above exactly matches that in the output of show crypto key mypubkey rsa R3 on R3. This verifies that we have correctly copied its public key.

Repeat this configuration for R3, copying R1's public key to R3, to complete the key exchange.

With the RSA keys settled, we can move on to the ISAKMP and IPsec configurations. Creating an ISAKMP profile to use the RSA keys is almost indentical to one which uses a preshared key, except we specify RSA encryption as the authentication type instead of pre-shared.

At this point, you might encounter the following system message, especially if performing this configuration on a Dynamips lab:

Crypto Key Generate Rsa Modulus

This message warns that hardware RSA encryption is unavailable on the platform, and can be safely ignored in our case.

We can verify the creation of our ISAKMP policy with show crypto isakmp policy:

I'll resist diving into the remainder of the IPsec configuration here, but the following is an example configuration for R1 (you can also reference the complete R1 and R3 configs attached at the end of this article):

Crypto Key Generate Rsa 1024

Once the configurations have been completed, you can inpsect the ISAKMP and IPsec security associations with show crypto isakmp sa and show crypto ipsec sa, respectively: