Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPsec VTI + PKI

I have set up a lab using static VTI's and shared secrets, now I want to move this to use certs for

authentication, is this possible?

Current config is below

crypto isakmp policy 1
authentication pre-share
crypto isakmp key t3stk3yf0rp0cl4b0nly address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10 periodic
!

crypto ipsec transform-set poc-transform-set-1 esp-aes 256 esp-md5-hmac
mode transport
!

crypto ipsec profile poc-ipsecprofile1
set transform-set poc-transform-set-1
!
interface Tunnel200
ip address 10.169.3.26 255.255.255.252
keepalive 1 3
tunnel source Loopback200
tunnel destination 61.1.1.6
tunnel mode ipsec ipv4
tunnel protection ipsec profile poc-ipsecprofile1
!

1 REPLY

Re: IPsec VTI + PKI

Certainly, once your routers have a certificate, all you need is to remove the wildcard pre-shared key and the ike policy 1, and create one with something like :

cry isa pol 10

hash md5

authen rsa-sig

encry aes-256

group 5

447
Views
0
Helpful
1
Replies