ASA (v9.1) Site To Site VPN with IKEv2 and MS SCEP/NDES Certificates
I'm currently troubleshooting a issue with Site to Site VPN with IKEv2 and certifiactes as authentication method.
Here is the setup:
We have three locations with an any to any layer 2 connection. I set up each ASA (ASA5510 ver 9.1) to establish a Site to Site VPN connection to the other two locations. Setting this up with pre shared keys and certifications which are manually signed by the MS CA Administrator are working fine.
But when we try to enroll those certificates via SCEP/NDES its not working.
Here are my Steps:
1. Configure the CA Turstpoint to request the CA certificate
2. Request the CA Certificate via SCEP is working fine
3. Configure a Trustpoint and Keypair for the S2S-VPN Connection
4. Request the identity certificate form the CA via SCEP with a one time password is working fine
5. Set the created trustpoint as authentication method for the IKEv2 S2S-VPN.
Now I have done this also for the other site of the VPN-Tunnel. But when I try to ping a host wich is on the other location to bring up the VPN-Tunnel the VPN session is not established. At the debugs I can see that there are some issues during authentication of the remote peer.
At the MS CA I can see that the indentity certifactes for both ASAs are issued and not revoked or on pending state. The certificate was issued based on the "IPSec (Offline)" Template.
When the CA-Admin and me issue a certificate manually based on a template copy of "Domaincontroller" the connection is established sucessfully.
So I like to know which is the correct Certificate Template for IP-Sec peers to use for SCEP and MS Enterprise CA (Its an Microsoft 2008R2 Enterprise Server)?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...