Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Configuring Site to Site IPSec with CA support

I'm going through an MPLS cloud to connect to a remote Router.I therefore want to configure IPSec with CA support to secure my VPN link. After the configuration of the IPSec and CA. i noticed that the CA server is not issing a new certificate to the routers but give it own's (server) certificate and hence the IPSec in not encrypting traffic.What could i be doing wrong find attched the config of Routers

2 REPLIES
New Member

Re: Configuring Site to Site IPSec with CA support

Could you find what was wrong? thanks

New Member

Re: Configuring Site to Site IPSec with CA support

Your configuration looks like an interesting blend of authentication options. You say that you want to use certificates, so here goes:

1 In your isakmp policy, you shouldn't need to specify an authentication method, because certificates are the default.

2 If you are using certificates, there are two processes that you need to complete with the CA, the authentication phase (crypto ca authenticate domain.name) and an enrollment phase (crypto ca enroll domain.name) When you complete the first phase, you receive the ca certificate as appears in your key chain, you won't receive your routers own certificate until you complete the enrollment phase.

Like I said, I'm a little concerned that you have a mix of authentication commands on your router. If you are looking at a single point-point encrypted link, then encrypted nonces may be a better option than certificates, as it doesn't require any trust in a third party (the CA)

196
Views
0
Helpful
2
Replies
CreatePlease to create content