I have an IOS router (remote) and an ASA 5510 (central site) doing Lan2Lan IPSEC VPN with pre-shared secrets. I need to convert this to certificate authentication.
The ASA has a static IP and is using a dynamic crypto map. This particular remote also has a static IP but some future remotes will be dynamically addressed (hence the dynamic crypto map on the ASA). The ASA sw version is 8.2(1). Router IOS is 12.4.
I already have my microsoft CA up and running. Both the ASA and the router have the CA configured, enrolled to. The CA cert, and their own identity certs are issued and installed.
I want to configure the ASA so when the remote router connects and sees that the router's identity cert contains an "OU" value of "netpki", it sets up the connection using a specific tunnel-group. Right now the connection uses the DefaultL2LGroup. I could continue using that but I wouldn't hesitate to create a new group if that makes more sense.
I've found lots of docs for each of the particular commands used in this but I have yet to find any examples that show how the commands are used to tie everything together. I'm still not even sure if there's anything that I have to change on the router other than changing the isakmp policy from pre-shared to rsa-sig.
Example config bits or links will be much appreciated.