home

Supported platforms

Getting startedOverviewArchitectureSupported platformsRelease notesWhite papers
Getting startedOverviewArchitectureSupported platformsRelease notesWhite papers

Vyatta documentation

Learn how to install, configure, and operate the Vyatta Network Operating System (Vyatta NOS) and Orchestrator, which help drive our virtual networking and physical platforms portfolio.

Show On this page:

thumbnailSupported platforms

IPsec Site-to-Site VPN Commands

generate vpn rsa-key

Generates a pair of RSA public and private keys.

generate vpn rsa-key [ F4 ] [ bits bits ]
bits
Bit-length of the generated key, in 16-bit increments. The length ranges from 1024 through 4096. The default length is 2192.
F4
When specified, sets the public exponent to 65537. When absent, sets the public exponent to 3.

Operational mode

Use this command to generate a pair of RSA public and private keys. This command is available only to users with administrative privileges.

Note: A larger exponent makes brute-force attacks on public keys more difficult, so Ciena recommends using the F4 option.

RSA key pairs authenticate identities of hosts or users and securely exchange a random one-time key, which is then used for a session as the symmetrical encryption key. The public key or keys (more than one public key can be derived from the private key component) are shared with the peer that requests communication with the holder of the private key. Due to this potential one-to-many relationship, the private key is typically generated by and stored on the server, and the public key or keys are distributed to one or more clients.

The RSA key pair for the local host is generated by using this command in operational mode. After the key pair is generated, it is stored at the location that is specified by the local-key rsa-key-name option. By default, this location is the localhost.key file in the /config/ipsec.d/rsa-keys/ directory.

You can change the name and location of the key file by using security vpn rsa-keys.

The following example shows how to extract the public key in an exportable form. The public key can be extracted in the format that is used in RFC-2537, RSA/MD5 KEYs and SIGs in the Domain Name System (DNS), as the credentials of a peer by extracting it from the localhost.key file. You can then paste it into the appropriate configuration parameter on the peer. 

vyatta@WEST:~$ generate vpn rsa-key
Generating rsa-key to /config/ipsec.d/rsa-keys/localhost.key

Your new local RSA key has been generated.
RSA key fingerprint: d0:75:1b:c9:36:c7:3a:48:0a:d8:11:06:41:90:57:cb
vyatta@WEST:~$ show vpn ike rsa-keys

Local public key (/opt/Vyatta/etc/config/ipsec.d/rsa-keys/localhost.key):

0sAQOaH8PuqTqHW6kkm6hAM7Mt4juBt7tdOQAqiNfaHou72+T/1/ztUmsnXzT7c7YGGQQ95eej9IDgBGmhnmGa9kXn/Upa7M8Te9bINNAkHT7DqSxflEYH2eVFT3/Q0ZghCU8U51a66OqAbuXpfQxAZ6ujAxmGBS3FOC2b9GSRqyybGSLDoniRWSFZ12Yd5ckX4CprhJmryGU0mZn9leE5kQLiUfONPcEywCmi50RqKTcQsXgFZuEE0nw+d7K6CrJLALyOqtXEPW0kRmaqcZXhuwlOtDHgws2vUal7H+vQCq6OjKuO8+3xvLNZxH3820z81PytcnAa8X7YmrsjIV8MfWGPobk6l27ZjGOo9ZG44nEAS3KX

The following example shows how to generate a pair of RSA public and private keys. 

vyatta@WEST:~$ generate vpn rsa-key bits 1024
Generating rsa-key to /config/ipsec.d/rsa-keys/localhost.key
Your new local RSA key has been generated.
RSA key fingerprint: 78:af:08:60:92:34:c6:02:94:a2:52:53:69:91:a0:91

Last updated: December 22, 2021