Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
441
Views
0
Helpful
3
Replies

AnyConnect to IOS Headend who is Also CA?

ihadfield
Level 1
Level 1

‎03-11-2014 10:25 AM - edited ‎02-21-2020 07:33 PM

Hello all,

 

I am trying to configure up a 2911 via the following link...

 

http://www.cisco.com/c/en/us/support/docs/security/flexvpn/115014-flexvpn-guide-cert-00.html

(AnyConnect to IOS Headend Over IPsec with IKEv2 and Certificates Configuration Example)

 

The only difference, is that I need the IOS router in the example (bsns-1941-4) to also be the IOS CA router (unlike the example which uses a different router, bsns-1941-3, as the CA).  I am new to Client VPN and Certs so I am not sure what I am missing.

 

Is that even possible?  Can a VPN headend use a certificate from itself (because it is the CA)?  If so, what would that part of the configuration look like?

 

Thanks!

Ian

 

Labels:
0 Helpful
3 Replies 3

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎03-12-2014 12:42 AM

Hi Ian, Yes, you can do that. It's probably not the best idea for a big deployment :-) What you should do is enable IOS CA and create a new trustpoint using SCEP URL or local router. You will need to authenticate and enroll that trustpoint and reference it in the IKEv2 profile. M.
0 Helpful

ihadfield
Level 1
Level 1
In response to Marcin Latosiewicz

‎03-13-2014 06:17 AM

Thanks Marcin.  Yeah, it is our OOB router so only about 4 people will be using it - not large at all.  :-)  I would have used another router as the CA but it is the only IOS router in the install (everything else is running NX-OS)

 

Do you have a good link on the CA set-up and enrolement procedure?  I tried the link below but the 2911 does not have any of the "crypto ca" commands...

 

http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/50282-ios-ca-ios.html

 

Thanks

0 Helpful

ihadfield
Level 1
Level 1
In response to ihadfield

‎03-13-2014 07:29 AM

Nevermind - replacing the "ca" with "pki"

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents