Unanswered Question
Nov 24th, 2009

I have set up a lab using static VTI's and shared secrets, now I want to move this to use certs for

authentication, is this possible?

Current config is below

crypto isakmp policy 1
authentication pre-share
crypto isakmp key t3stk3yf0rp0cl4b0nly address
crypto isakmp keepalive 10 periodic

crypto ipsec transform-set poc-transform-set-1 esp-aes 256 esp-md5-hmac
mode transport

crypto ipsec profile poc-ipsecprofile1
set transform-set poc-transform-set-1
interface Tunnel200
ip address
keepalive 1 3
tunnel source Loopback200
tunnel destination
tunnel mode ipsec ipv4
tunnel protection ipsec profile poc-ipsecprofile1

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
jan.nielsen Tue, 11/24/2009 - 19:39

Certainly, once your routers have a certificate, all you need is to remove the wildcard pre-shared key and the ike policy 1, and create one with something like :

cry isa pol 10

hash md5

authen rsa-sig

encry aes-256

group 5


This Discussion