With RSA authentication, RSA keys are used for authentication of the VPN endpoints. The public keys of the endpoints are exchanged manually before the connection is established. If you want to use this authentication type, you have to define a VPN identifier and create a local RSA key. The public RSA key of the gateway must be made available to remote IPsec devices that use IPsec RSA authentication with Sophos UTM.
Note – Sophos UTM uses RFC 3110 format for RSA keys. RSA authentication will not work with 3rd party endpoints that use a different RSA key format.
Displayed is the public portion of the currently installed local RSA key pair. Click into the box, then press CTRL-A and CTRL-C to copy it to the clipboard.
Select the VPN ID type which best suits your needs. By default, the hostname of the gateway is taken as the VPN identifier. If you have a static IP address as local VPN endpoint, select IP address. Alternatively, use an email address as VPN ID for mobile IPsec road warriors.
- Hostname: Default setting; the hostname of the gateway. However, you can enter a different hostname here.
- Email address: By default, this is the email address of the gateway's admin account. However, you can enter a different email address here.
- IP address: The IP address of the external interface of the gateway.
Click Apply to save your settings. Changing the settings does not modify the RSA key.
To generate a new RSA key, select the desired key size and click Apply. This will start the key generation process, which can take from a few minutes up to two hours, according to your selected key length and used hardware. The key size (key length) is a measure of the number of keys which are possible with a cipher. The length is usually specified in bits. The following key sizes are supported:
- 1024 bits
- 2048 bits
- 4096 bits