Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
352
Views
0
Helpful
4
Replies

Site-to-Site VPN not use pre-shared key

yanzhu
Level 1
Level 1

‎07-14-2009 06:53 AM

I need help for this problem: I am using a Cisco 877 router to build IPSec/GRE tunnel over Internet to a Nokia firewall / Checkpoint VPN-1 NG box. We used to build the IPSec tunnel using pre-shared key at both ends, which works well. But this time the Nokia firewall end does not allow it, and always request "ISAKMP: auth RSA sig" instead (got it from debug crypto ISAKMP). There is a way to fix the problem by changing global settings for the firewall, but it is not allowed because other IPSec tunnels already terminated on that box.

So we have to use the router's self signed cert instead of pre-shared key for crypto. But I don't know what parameters to specify when configing "crypto key public-chain rsa". What information do I need to ask the Nokia firewall admin for? and what he has to do to manually generate/exchange the cert? I wonder if anyone has done this before, and please help if you do.

Thanks in advance

Tony

Labels:
0 Helpful
4 Replies 4

kwillacey
Level 3
Level 3

‎07-14-2009 09:14 AM

I have only done this between two routers and a Microsoft CA server, but in the simplest form all you need to do is enroll with the CA server and request a certificate which the CA server would then grant and both devices would have to do that. The below config is using a Microsoft CA server.

crypto key generate rsa general-keys modulus 1024

crypto pki trustpoint

enrollment mode ra

enrollment url http:///certsrv/mscep/mscep.dll

revocation-check crl

auto-enroll 70

crypto ca authenticate

crypto ca enroll

Maybe these two links can help

http://www.cisco.com/en/US/partner/tech/tk583/tk372/technologies_configuration_example09186a00801405ac.shtml

http://www.cisco.com/en/US/partner/tech/tk583/tk372/technologies_configuration_example09186a00800946c0.shtml

0 Helpful

yanzhu
Level 1
Level 1
In response to kwillacey

‎07-14-2009 09:54 AM

There is no internal CA server available and I am not sure if the firewall admin would agree to enroll to an external CA server. Is there any other way to fix it?

0 Helpful

kwillacey
Level 3
Level 3
In response to yanzhu

‎07-14-2009 09:59 AM

Its either the cisco or the checkpoint will act as a CA server or you have no choice but to change the authentication to pre shared keys. AFAIK it cant work without a CA server.

0 Helpful

yanzhu
Level 1
Level 1
In response to kwillacey

‎07-14-2009 08:36 PM

Is it possible for the router and the firewall exchange the RSA Sig directly?

I saw there were three options for auth:

Pre-shared

RSA-Encr (via CA server)

RSA-Sig

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents