Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA VPN with certificates

I'm after abit of consultation.

I have a ASA 5510 in my hub, static public IP address.

I then have a ASA 5505 as my spoke, with a dynamic IP address.

I have used a dynamic crypto map with PSK and all appears working.

My one concern is that I have been forced to use aggressive mode to make this work. I'm well aware of the security risks.

So I'm looking to use certificates in lue of agressive mode.

If I use an internal Windows CA what will happen with revocations.

If my spoke trys to connect but cannot check the CRL because the server is internal to the network will the VPN connect?

Also can I set my certifcates to be valid for a long time such as ten years so that I don't have to worry about certificates expireing?

1 ACCEPTED SOLUTION

Accepted Solutions

Re: ASA VPN with certificates

Answer in line

If I use an internal Windows CA what will happen with revocations.

<<<< If you enable revocation check, you have to make your internal server accessiable to the remote Spoke.

Otherwise you can disable revocation check.

If my spoke trys to connect but cannot check the CRL because the server is internal to the network will the VPN connect?

<<<<

Also  can I set my certifcates to be valid for a long time such as ten years  so that I don't have to worry about certificates expireing?

<<<<< It is controled by CA server which issue the certificate to ASA.

1 REPLY

Re: ASA VPN with certificates

Answer in line

If I use an internal Windows CA what will happen with revocations.

<<<< If you enable revocation check, you have to make your internal server accessiable to the remote Spoke.

Otherwise you can disable revocation check.

If my spoke trys to connect but cannot check the CRL because the server is internal to the network will the VPN connect?

<<<<

Also  can I set my certifcates to be valid for a long time such as ten years  so that I don't have to worry about certificates expireing?

<<<<< It is controled by CA server which issue the certificate to ASA.

274
Views
0
Helpful
1
Replies