Hi, I have a situation I am not sure how I should implement it, I need some help to better understand how certificate authentication for IPsec works.
ASA has SSL certificate signed by well-known third party, trustpoint of this third party CA, certificate of third party CA as well as identity certificate of this ASA signed this CA are configured/installed on ASA, SSL remote access VPN is working fine, pre-shared key has been used for authentication of IPsec site2site and remote-access VPN.
We now have an application that requires certificate authentication for IPsec remote-access VPN, we run our internal Windows CA server, the new IPsec remote clients will enroll to and get certificate from this internal CA. In order for certificate authentication work, can I simply configure another trustpoint pointing to this internal CA on ASA and install well-known third party CA on clients? in a sense, will certificate authentication work if ASA and client identity certificates are issued by different CA ? given that the CAs are trusted by each other.
or, can I install a second identity certificate issued by internal CA and let ISAKMP trust this CA, this way ASA and clients can have the same CA. Logically this should be doable, I just want to make sure that installing second identity cert won't affect existing working SSL-VPN.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...