IPsec VTI + PKI

Unanswered Question
Nov 24th, 2009

I have set up a lab using static VTI's and shared secrets, now I want to move this to use certs for

authentication, is this possible?


Current config is below


crypto isakmp policy 1
authentication pre-share
crypto isakmp key t3stk3yf0rp0cl4b0nly address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10 periodic
!

crypto ipsec transform-set poc-transform-set-1 esp-aes 256 esp-md5-hmac
mode transport
!

crypto ipsec profile poc-ipsecprofile1
set transform-set poc-transform-set-1
!
interface Tunnel200
ip address 10.169.3.26 255.255.255.252
keepalive 1 3
tunnel source Loopback200
tunnel destination 61.1.1.6
tunnel mode ipsec ipv4
tunnel protection ipsec profile poc-ipsecprofile1
!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jan.nielsen Tue, 11/24/2009 - 19:39

Certainly, once your routers have a certificate, all you need is to remove the wildcard pre-shared key and the ike policy 1, and create one with something like :


cry isa pol 10

hash md5

authen rsa-sig

encry aes-256

group 5

Actions

This Discussion