Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Site-to-Site VPN with certificates

Hi everyone,

I have a remote user with an ASA-5505 which needs to establish vpn tunnels to two different ASA-5520's. The remote user has a dynamic IP for his outside address.

I can configure it to work with DefaultL2LGroup for the pre-shared-key, but that creates security conflicts with my remote VPN users which use DefaultL2LGroup.

Is there a way to use digital certificates which I can generate from each ASA-5520, and manualy import the public keys into the ASA-5505.

I do mave multiple ASA-5505's but each only has to establish tunenls to the two different 5520's.

All the docutmention I can find uses a Microsoft CA and I want to set this up (unless it's a security breach) without one.

Is there a way to do this like with SSH where I can copy the public key to the remote end?

Thanks,

Carlos

Everyone's tags (3)
1 REPLY
Cisco Employee

Re: Site-to-Site VPN with certificates

Carlos,

Yes you can.

ASA supports both SCEP and copy-and-paste enrollment methods.

http://www.aboutcisco.biz/en/US/products/ps6120/products_configuration_example09186a00808a61cd.shtml

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080aa5be1.shtml

Please note that CRL/OCSP has to be publicly available in a scenario like this (or checking disabled).

Marcin

edit: spelling and added links.

553
Views
0
Helpful
1
Replies