can somebody tell me if it´s possible to backup a vpn3000 config and its certificate/generated keys in case of hardware failure. If not i have to generate new keys, get a new certificate and tell this all my clients, routers, firewalls ? (which sounds horrible!).
Correct me if I am wrong but I think it is not possible to backup the private key generated by the failure hardware, be it VPN3000, routers or PIXes. Because it is always hidden and can`t be viewed from the menu or console. I don`t see any menu on the VPN3000, to backup its own private key. Even if you have the VPN3000`s certificate, seems like it is not possible to restore it. So, the new hardware replacing the failure one has to genereate a new private key and get a public key certified by its trusted root CA. One doesn`t need to announce this new certificate to all clients of the new hardware (routers, firewalls). If there is a need to create a VPN tunnel between the new hardware and the other side, the two VPN devices will authenticate themself using the certificates. If the peer`s certificate issued by its trusted CA, then the device will trust the certifcate (and vice-versa) and continue to the next phase of negotiation.
It is possible to manually backup the certificates with private keys from the VPN3k web-interface.
1. Log into the web-administration
2. Navigate to Administration->Certificate Management
3. Select Export for the certificate you wish to backup.
4. The VPN3k will request a password to encrypt the prifvate RSA key.
5. When you enter the password and click export the certificate and key will be saved as CERTEXP.TXT on the VPN3K flash and it will try to popup a window showing the data. Copy this data and store it somewhere, remember the key
That exported certificate can be imported to the VPN3k Via the Certificate Management->Installation section using the Import SSL certificate with private key link.
The export/import format that the VPN3k uses is not a standard PKCS12, it is a PKCS8 encrypted private key in Base64 with the X509 certificate in base64 encoding.
I don't think the XML Export option gives you the certificates, so to have a full backup you would need both items.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :