IPSec RA VPN with CA Outside

Unanswered Question
May 11th, 2009
User Badges:

IPSec RA VPN with CA Outside

Does the CA have to be outside the firewall as diagramed in http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008092d8f1.shtml

We may have an aversion to having a CA internet assessable. Our RA VPN clients would not be so far away that they could never come into the office to get a cert first.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
vmoopeung Sat, 05/16/2009 - 18:22
User Badges:
  • Bronze, 100 points or more

With a CA, a peer authenticates itself to the remote peer by sending a certificate to the remote peer and performing some public key cryptography. Each peer sends its own unique certificate which was issued and validated by the CA. This process works because each peer's certificate encapsulates the peer's public key, each certificate is authenticated by the CA, and all participating peers recognize the CA as an authenticating authority.

Check the URL: Managing VPN Remote Access:


Configuring IPSec and Certification Authorities:



This Discussion