09-25-2009 10:35 AM
I have an IOS router (remote) and an ASA 5510 (central site) doing Lan2Lan IPSEC VPN with pre-shared secrets. I need to convert this to certificate authentication.
The ASA has a static IP and is using a dynamic crypto map. This particular remote also has a static IP but some future remotes will be dynamically addressed (hence the dynamic crypto map on the ASA). The ASA sw version is 8.2(1). Router IOS is 12.4.
I already have my microsoft CA up and running. Both the ASA and the router have the CA configured, enrolled to. The CA cert, and their own identity certs are issued and installed.
I want to configure the ASA so when the remote router connects and sees that the router's identity cert contains an "OU" value of "netpki", it sets up the connection using a specific tunnel-group. Right now the connection uses the DefaultL2LGroup. I could continue using that but I wouldn't hesitate to create a new group if that makes more sense.
I've found lots of docs for each of the particular commands used in this but I have yet to find any examples that show how the commands are used to tie everything together. I'm still not even sure if there's anything that I have to change on the router other than changing the isakmp policy from pre-shared to rsa-sig.
Example config bits or links will be much appreciated.
09-25-2009 10:39 AM
Oops... The first sentence of the 4th paragraph was supposed to be:
I want to configure the ASA so when the remote router connects, the ASA sees that the router's identity cert contains an "OU" value of "netpki", it sets up the connection using a specific tunnel-group.
09-25-2009 01:27 PM
I am attaching relevant bits of the ASA config and some debug output.
It looks like the ASA wants to authenticate the cert of the remote but the authentication "lands on" the DefaultRAGroup instead of the DefaultL2Lgroup despite my certificate-map and tunnel-group matching policy attempts.
09-28-2009 10:12 AM
Nevermind... I got it.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide