28-13
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 28 Group Encrypted Transport (GET) VPNs
Generating and Synchronizing RSA Keys
For security associations (ACL rules) and IPSec policies, select Group Encryption Policy >
Security Associations. See Defining GET VPN Group Encryption, page 24-51.
For preshared key policies, select IKEv1 Preshared Key. See Configuring IKEv1 Preshared Key
Policies, page 25-44.
For public key (PKI) policies, select Public Key Infrastructure. See Configuring IKEv1 Public
Key Infrastructure Policies in Site-to-Site VPNs, page 25-50.
For rekey settings, select Group Encryption Policy > Group Settings. See Defining GET VPN
Group Encryption, page 24-51 and Generating and Synchronizing RSA Keys, page28-13.
For key server configuration, including RSA key synchronization, select Key Servers . See
Configuring GET VPN Key Servers, page28-18 and Generating and Synchronizing RSA Keys,
page 28-13.
For group membership and endpoint settings, select Group Members. See Configuring GET VPN
Group Members, page 28-20.
Related Topics
Understanding Group Encrypted Transport (GET) VPNs, page 28-2
Understanding the GET VPN Registration Process, page 28-4
Understanding the GET VPN Security Policy and Security Associations, page 28-10
Troubleshooting GET VPN Configurations, page28-25
Understanding IKEv1 Preshared Key Policies in Site-to-Site VPNs, page 25-43
Generating and Synchronizing RSA Keys
When you specify the RSA key label in the Group Encryption Policy (as described in Defining GET VPN
Group Encryption, page 24-51), the corresponding RSA key (public and private keys) needs to be
configured on all key servers in the GET VPN topology. The key can either be a pre-existing key that
you defined on the device, or it could be a new key label, and Security Manager can generate the key for
you and synchronize all key servers to use the same key.
You can use the following methods to have Security Manager generate and synchronize the RSA key:
When creating a new GET VPN using the Create VPN wizard, you are asked at the end of the wizard
if you want to synchronize the keys. If you click Yes, Security Manager does the key synchronization
immediately, and generates a new key if the key does not already exist. For information on using the
Create VPN wizard, see Creating or Editing VPN Topologies, page 24-28.
For an existing GET VPN, you can click the Synchronize Keys button on the Key Servers policy.
Use this process whenever you add key servers or generate a new key on the primary key server. For
information on configuring key server settings for existing topologies, see Configuring GET VPN
Key Servers, page 28-18.
Tip For existing GET VPN topologies, if you want to generate a new RSA key, it might be easiest to update
the Group Encryption Policy to specify a new, unused RSA key label, then click the Synchronize Keys
button in the Key Servers policy. Because the key will not exist on any key server, Security Manager will
generate the new key and import it into all key servers. You can then manually delete the old key from
each key server.
Following are the uses for the RSA key: