Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
739
Views
0
Helpful
1
Replies

Site-to-Site VPN with certificates

insomniacgames_nc
Level 1
Level 1

‎07-06-2010 07:46 AM

Hi everyone,

I have a remote user with an ASA-5505 which needs to establish vpn tunnels to two different ASA-5520's. The remote user has a dynamic IP for his outside address.

I can configure it to work with DefaultL2LGroup for the pre-shared-key, but that creates security conflicts with my remote VPN users which use DefaultL2LGroup.

Is there a way to use digital certificates which I can generate from each ASA-5520, and manualy import the public keys into the ASA-5505.

I do mave multiple ASA-5505's but each only has to establish tunenls to the two different 5520's.

All the docutmention I can find uses a Microsoft CA and I want to set this up (unless it's a security breach) without one.

Is there a way to do this like with SSH where I can copy the public key to the remote end?

Thanks,

Carlos

Labels:
0 Helpful
1 Reply 1

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎07-06-2010 07:54 AM

Carlos,

Yes you can.

ASA supports both SCEP and copy-and-paste enrollment methods.

http://www.aboutcisco.biz/en/US/products/ps6120/products_configuration_example09186a00808a61cd.shtml

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080aa5be1.shtml

Please note that CRL/OCSP has to be publicly available in a scenario like this (or checking disabled).

Marcin

edit: spelling and added links.

0 Helpful
Customers Also Viewed These Support Documents