diff --git a/howto/IPsecWithPublicKeys/CiscoIOSExample.md b/howto/IPsecWithPublicKeys/CiscoIOSExample.md
new file mode 100644
index 0000000..0087e91
--- /dev/null
+++ b/howto/IPsecWithPublicKeys/CiscoIOSExample.md
@@ -0,0 +1,132 @@
+# IPsec with public key authentication on Cisco IOS
+## Setup
+### Generate an RSA keypair
+_Note: You may already have completed this step, since it's required to enable SSH._
+
+1. Configure a hostname and domain name.
+
+        Router#conf t
+        Router(config)#hostname foo
+        foo(config)#ip domain-name bar
+
+2. Generate an RSA key. The maximum length was increased from 2048 to 4096 as of release 15.1(1)T
+
+        foo(config)#crypto key generate rsa general-keys modulus 2048
+        % The key modulus size is 2048 bits
+        % Generating 2048 bit RSA keys, keys will be non-exportable...
+        foo(config)#exit
+
+### Exchange public keys with your peer
+1. Display the public key. Send the key data portion to your peer.
+
+         foo#show crypto key mypubkey rsa foo.bar
+         % Key pair was generated at: 19:24:02 UTC Jul 19 2014
+         Key name: foo.bar
+         Storage Device: not specified
+         Usage: General Purpose Key
+         Key is not exportable.
+         Key Data:
+          30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
+          00ABF25E 090CBDFC 47B3763B 01E38993 584F1D47 49DEE0FC 6A766D95 F416C5A8
+          83E16EF2 19C00BC9 64B3E351 D6F43E57 461AC689 912C22FE C4BE10EE 05750F27
+          FEBB9C8C 2DFC7DD7 C0D1E8B2 7F022F54 04101205 60E47D99 2307E625 404F1130
+          CBD1759B BBDBBF89 0C0F6B09 52E50A81 BFCC6AA6 96AFF612 B700AEA5 0EDFCDDB
+          D3C7E014 2A59CD82 29A403CA 01EE580A CC4A3A2C C36369FE D2FA0FEF 2DC32D50
+          1C55A296 3CBD6AAC 6AA66C73 FAB30A12 CFD1341D C261E013 8A7DA310 8D0E6C99
+          C248D554 D0D68508 3EA53F0F 971DA7A6 203CA186 A79F9D93 0D2E54EF F7E311B2
+          F7A8B486 D980661D DEB6C0B3 80A82583 4936F131 57C6D204 0AA5ED7F 7749F044
+          8F020301 0001
+
+2. Convert your peer's public key to the hexadecimal DER format using the [pubkey-converter][pubkey-converter] script, if necessary.
+
+[pubkey-converter]: https://github.com/ryanriske/pubkey-converter "Public key conversion script"
+
+## Configuration
+### Configure the phase 1 IKE parameters
+In this example, we'll use the following settings:
+
+| Key           | Value         |
+| :------------ | :------------ |
+| Encryption    | AES-128       |
+| Hash          | HMAC-SHA1     |
+| DH Group      | 5 (modp1536)  |
+| Lifetime      | 28800 seconds |
+| Peer address  | 192.0.2.2     |
+| Local address | 192.0.2.1     |
+
+1. Add your peer's public key
+
+        foo#conf t
+        Enter configuration commands, one per line.  End with CNTL/Z.
+        foo(config)#crypto key pubkey-chain rsa
+        foo(config-pubkey-chain)#addressed-key 192.0.2.2
+        foo(config-pubkey-key)#key
+        foo(config-pubkey-key)#key-string
+        Enter a public key as a hexidecimal number ....
+        
+        foo(config-pubkey)#30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
+        foo(config-pubkey)#00F3E0AA 8924E512 C08BA87C 73820A15 E5180DDC EF827221 2B3864BF B2D2A5E0
+        foo(config-pubkey)#33D04C1D 43A0CAF8 617EEEBA 7DB5BD38 429660CC 3144618E 4F386201 52483DA7
+        foo(config-pubkey)#FDDF7AAC DCA8C19D FF5B1956 14F63831 ACE70D0F 4C557CE7 220C7E8B 9A2C837F
+        foo(config-pubkey)#065A2B41 23B68074 C57F6F78 2F222DA1 915A095C CED77FF3 F1DF849C 3FD086EA
+        foo(config-pubkey)#0A74901D 99DA97D5 0CFB22E7 C6C827E6 E53BE215 8D4928D2 458B02E2 1600F1F1
+        foo(config-pubkey)#F1128D63 3A55EC4B 54E6A8E1 0B197E1E 7DA31CC2 54C30A2D 03BE5B8A 16A5E324
+        foo(config-pubkey)#F3B15B67 C3FB2831 7F31610A 3BD59E74 E749DC25 74424F3F 7EC305AD 0BFA5008
+        foo(config-pubkey)#E36C6E00 854433B6 A0E8DBF1 7A4741DD A91A5320 1D5150FA 28F12273 56A3E9A2
+        foo(config-pubkey)#D5020301 0001
+        foo(config-pubkey)#quit
+        foo(config-pubkey-key)#exit
+        foo(config-pubkey-chain)#exit
+
+2. Configure an ISAKMP policy
+
+        foo(config)#crypto isakmp policy 10
+        foo(config-isakmp)#encryption aes
+        foo(config-isakmp)#hash sha
+        foo(config-isakmp)#group 5
+        foo(config-isakmp)#lifetime 28800
+        foo(config-isakmp)#authentication rsa-sig
+        foo(config-isakmp)#exit
+
+3. All done! Configure the phase 2 parameters as you otherwise would.
+
+## Full GRE/IPsec example
+    crypto key pubkey-chain rsa
+     addressed-key 192.0.2.2
+      address 192.0.2.2
+      key-string
+       30820122 300D0609 2A864886 F70D0101 01050003 82010F00 3082010A 02820101
+       00F3E0AA 8924E512 C08BA87C 73820A15 E5180DDC EF827221 2B3864BF B2D2A5E0
+       33D04C1D 43A0CAF8 617EEEBA 7DB5BD38 429660CC 3144618E 4F386201 52483DA7
+       FDDF7AAC DCA8C19D FF5B1956 14F63831 ACE70D0F 4C557CE7 220C7E8B 9A2C837F
+       065A2B41 23B68074 C57F6F78 2F222DA1 915A095C CED77FF3 F1DF849C 3FD086EA
+       0A74901D 99DA97D5 0CFB22E7 C6C827E6 E53BE215 8D4928D2 458B02E2 1600F1F1
+       F1128D63 3A55EC4B 54E6A8E1 0B197E1E 7DA31CC2 54C30A2D 03BE5B8A 16A5E324
+       F3B15B67 C3FB2831 7F31610A 3BD59E74 E749DC25 74424F3F 7EC305AD 0BFA5008
+       E36C6E00 854433B6 A0E8DBF1 7A4741DD A91A5320 1D5150FA 28F12273 56A3E9A2
+       D5020301 0001
+      quit
+    !
+    crypto isakmp policy 10
+     encr aes
+     group 5
+     lifetime 28800
+    !
+    crypto ipsec transform-set tset esp-aes esp-sha-hmac
+     mode transport
+    !
+    crypto ipsec profile FOO
+     set transform-set tset
+     set pfs group5
+    !
+    interface Tunnel0
+     ip address 10.1.2.0 255.255.255.254
+     ip mtu 1400
+     tunnel source 192.0.2.1
+     tunnel destination 192.0.2.2
+     tunnel protection ipsec profile FOO
+    !
+    interface FastEthernet0/0
+     description WAN
+     ip address 192.0.2.1 255.255.255.0
+     duplex full
\ No newline at end of file