(AnyConnect to IOS Headend Over IPsec with IKEv2 and Certificates Configuration Example)
The only difference, is that I need the IOS router in the example (bsns-1941-4) to also be the IOS CA router (unlike the example which uses a different router, bsns-1941-3, as the CA). I am new to Client VPN and Certs so I am not sure what I am missing.
Is that even possible? Can a VPN headend use a certificate from itself (because it is the CA)? If so, what would that part of the configuration look like?
Yes, you can do that. It's probably not the best idea for a big deployment :-)
What you should do is enable IOS CA and create a new trustpoint using SCEP URL or local router.
You will need to authenticate and enroll that trustpoint and reference it in the IKEv2 profile.
Thanks Marcin. Yeah, it is our OOB router so only about 4 people will be using it - not large at all. :-) I would have used another router as the CA but it is the only IOS router in the install (everything else is running NX-OS)
Do you have a good link on the CA set-up and enrolement procedure? I tried the link below but the 2911 does not have any of the "crypto ca" commands...
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...