ASA VPN with certificates

Answered Question
Aug 24th, 2010
User Badges:

I'm after abit of consultation.


I have a ASA 5510 in my hub, static public IP address.


I then have a ASA 5505 as my spoke, with a dynamic IP address.


I have used a dynamic crypto map with PSK and all appears working.



My one concern is that I have been forced to use aggressive mode to make this work. I'm well aware of the security risks.



So I'm looking to use certificates in lue of agressive mode.



If I use an internal Windows CA what will happen with revocations.


If my spoke trys to connect but cannot check the CRL because the server is internal to the network will the VPN connect?


Also can I set my certifcates to be valid for a long time such as ten years so that I don't have to worry about certificates expireing?

Correct Answer by Yudong Wu about 6 years 8 months ago

Answer in line


If I use an internal Windows CA what will happen with revocations.

<<<< If you enable revocation check, you have to make your internal server accessiable to the remote Spoke.

Otherwise you can disable revocation check.


If my spoke trys to connect but cannot check the CRL because the server is internal to the network will the VPN connect?

<<<<



Also  can I set my certifcates to be valid for a long time such as ten years  so that I don't have to worry about certificates expireing?

<<<<< It is controled by CA server which issue the certificate to ASA.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Yudong Wu Tue, 08/24/2010 - 09:16
User Badges:
  • Gold, 750 points or more

Answer in line


If I use an internal Windows CA what will happen with revocations.

<<<< If you enable revocation check, you have to make your internal server accessiable to the remote Spoke.

Otherwise you can disable revocation check.


If my spoke trys to connect but cannot check the CRL because the server is internal to the network will the VPN connect?

<<<<



Also  can I set my certifcates to be valid for a long time such as ten years  so that I don't have to worry about certificates expireing?

<<<<< It is controled by CA server which issue the certificate to ASA.

Actions

This Discussion