IPSec RA VPN with CA Outside

Unanswered Question
May 11th, 2009

IPSec RA VPN with CA Outside

Does the CA have to be outside the firewall as diagramed in http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008092d8f1.shtml

We may have an aversion to having a CA internet assessable. Our RA VPN clients would not be so far away that they could never come into the office to get a cert first.

Thanks.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
vmoopeung Sat, 05/16/2009 - 18:22

With a CA, a peer authenticates itself to the remote peer by sending a certificate to the remote peer and performing some public key cryptography. Each peer sends its own unique certificate which was issued and validated by the CA. This process works because each peer's certificate encapsulates the peer's public key, each certificate is authenticated by the CA, and all participating peers recognize the CA as an authenticating authority.

Check the URL: Managing VPN Remote Access:

http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/basclnt.html

Configuring IPSec and Certification Authorities:

http://www.cisco.com/en/US/docs/security/pix/pix63/configuration/guide/ipsecint.html

Actions

This Discussion