Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
341
Views
0
Helpful
3
Replies

Lan2Lan with certificate authentication matching cert "OU"

darthnul
Level 1
Level 1

‎09-25-2009 10:35 AM

I have an IOS router (remote) and an ASA 5510 (central site) doing Lan2Lan IPSEC VPN with pre-shared secrets. I need to convert this to certificate authentication.

The ASA has a static IP and is using a dynamic crypto map. This particular remote also has a static IP but some future remotes will be dynamically addressed (hence the dynamic crypto map on the ASA). The ASA sw version is 8.2(1). Router IOS is 12.4.

I already have my microsoft CA up and running. Both the ASA and the router have the CA configured, enrolled to. The CA cert, and their own identity certs are issued and installed.

I want to configure the ASA so when the remote router connects and sees that the router's identity cert contains an "OU" value of "netpki", it sets up the connection using a specific tunnel-group. Right now the connection uses the DefaultL2LGroup. I could continue using that but I wouldn't hesitate to create a new group if that makes more sense.

I've found lots of docs for each of the particular commands used in this but I have yet to find any examples that show how the commands are used to tie everything together. I'm still not even sure if there's anything that I have to change on the router other than changing the isakmp policy from pre-shared to rsa-sig.

Example config bits or links will be much appreciated.

Labels:
0 Helpful
3 Replies 3

darthnul
Level 1
Level 1

‎09-25-2009 10:39 AM

Oops... The first sentence of the 4th paragraph was supposed to be:

I want to configure the ASA so when the remote router connects, the ASA sees that the router's identity cert contains an "OU" value of "netpki", it sets up the connection using a specific tunnel-group.

0 Helpful

darthnul
Level 1
Level 1

‎09-25-2009 01:27 PM

I am attaching relevant bits of the ASA config and some debug output.

It looks like the ASA wants to authenticate the cert of the remote but the authentication "lands on" the DefaultRAGroup instead of the DefaultL2Lgroup despite my certificate-map and tunnel-group matching policy attempts.

Preview file
11 KB
0 Helpful

darthnul
Level 1
Level 1
In response to darthnul

‎09-28-2009 10:12 AM

Nevermind... I got it.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents