Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

AnyConnect to IOS Headend who is Also CA?

Hello all,


I am trying to configure up a 2911 via the following link...

(AnyConnect to IOS Headend Over IPsec with IKEv2 and Certificates Configuration Example)


The only difference, is that I need the IOS router in the example (bsns-1941-4) to also be the IOS CA router (unlike the example which uses a different router, bsns-1941-3, as the CA).  I am new to Client VPN and Certs so I am not sure what I am missing.


Is that even possible?  Can a VPN headend use a certificate from itself (because it is the CA)?  If so, what would that part of the configuration look like?





Everyone's tags (2)
Cisco Employee

Hi Ian,

Hi Ian, Yes, you can do that. It's probably not the best idea for a big deployment :-) What you should do is enable IOS CA and create a new trustpoint using SCEP URL or local router. You will need to authenticate and enroll that trustpoint and reference it in the IKEv2 profile. M.
New Member

Thanks Marcin.  I will give

Thanks Marcin.  Yeah, it is our OOB router so only about 4 people will be using it - not large at all.  :-)  I would have used another router as the CA but it is the only IOS router in the install (everything else is running NX-OS)


Do you have a good link on the CA set-up and enrolement procedure?  I tried the link below but the 2911 does not have any of the "crypto ca" commands...



New Member

Nevermind - replacing the "ca

Nevermind - replacing the "ca" with "pki"