Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

How to configure a LAN-to-LAN IPSec tunnel with self-signed certificates on the router

Core issue

Self-signed certificates work only with a Secure Sockets Layer (SSL) connection and fail when IPSec is used.


IPSec LAN-to-LAN tunnels do not work with self-signed certificates on routers.

Once both routers have signed their own certificates (acting as a Certificate Authority (CA) for their own certificates), they do not trust each other because the certificate signing authority is not the same. Self-signed certificates work for SSL connections, but they do not work with the Internet Security Association and Key Management Protocol (ISAKMP) or IPSec Rivest, Shamir, and Adelman (RSA) signature implementation because the CA is required to sign or authenticate the certificates.

For more details, refer to Router-to-Router IPSec (RSA Keys) on GRE Tunnel with RIP Configuration Example.

Note: A CA is recommended. Otherwise, certificates must be transported to each router manually. This is similar to authentication using RSA encryption, where public keys must be transferred to each router.

Version history
Revision #:
1 of 1
Last update:
‎06-17-2009 10:14 PM
Updated by:
Labels (1)