IPSec RA VPN with CA Outside

Unanswered Question
May 11th, 2009
User Badges:

IPSec RA VPN with CA Outside


Does the CA have to be outside the firewall as diagramed in http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008092d8f1.shtml


We may have an aversion to having a CA internet assessable. Our RA VPN clients would not be so far away that they could never come into the office to get a cert first.


Thanks.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
vmoopeung Sat, 05/16/2009 - 18:22
User Badges:
  • Bronze, 100 points or more

With a CA, a peer authenticates itself to the remote peer by sending a certificate to the remote peer and performing some public key cryptography. Each peer sends its own unique certificate which was issued and validated by the CA. This process works because each peer's certificate encapsulates the peer's public key, each certificate is authenticated by the CA, and all participating peers recognize the CA as an authenticating authority.


Check the URL: Managing VPN Remote Access:

http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/basclnt.html


Configuring IPSec and Certification Authorities:

http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/ipsecint.html


Actions

This Discussion