Support required for ASA Site to Site VPN with Digital Certificate without CA Server.
I would like to know the requirements needed for configuring Site to Site VPN with Digital Certificate.
We have 3 geolocations and they are connect with site to site VPN. Currently we are using pre-shared key for authentication. To make more secure we are planning to use digital certificate instead of pre-shared.
I really don’t know which certificate can be used and how to configure. I have some doubts regarding that and I request anyone to help me.
1) Currently we have wildcard certificate for remote VPN, can we use that certificate for site to site authentication
2) Do we required any CA Server like Microsoft CA Server
3) Does certificate authentication support in fail-over scenario.
4) Do i need to create separate certificate for each ASA.
Please help me to configure Digital certificate authentication with 3 ASA 5510. Our plan is to configure this without a CA Server and using the current wildcard certificate.
Also request to provide me the prerequisite for asa site to site vpn certificate authentication, so that i can prepare a document based on that.
There is a Cisco document here describing setting up site-site VPN with certificate-based authentication instead of the more commonly used pre-shared key.
The example uses a Microsoft CA but you could leave out that part and instead use your existing wildcard certificate. The key point is that all ASAs have a certificate issued by a common trusted certificate authority.
You can use your wildcard certs, (just remember you need to import the root and intermediate certs into the ASA's as well) like so. As Marvin suggested I tent to prefer using a clinets own CA and NDES. Whichever road you go down remember if you have CRL checking enabled - the ASA's need to be able to see the CRL server (ie resolve its name), AND be able to contact it.
Imported the wildcard certificate into two asa and i can see two certificate under CA Certificate-->Issued to--> one is SHA2 Secure Server CA and other is Global Root CA.
Created a tunnel using the certificate ,but the tunnel is not showing. Try to change with presharded key and found that tunnel is working fine with preshared key .
I try to debug the crypto isakmp when configured with certificate and i can see these errors
* Received an un-encrypted INVALID_COOKIE notify message, dropping * Information Exchange processing failed *Header invalid, missing SA payload *No preshared key configured for group *Can't find a valid tunnel group, aborting...!
I request you all to please clear my points
1) Do i need to create a DNS entry for my ASA public IP for certificate .
2) Just import the wildcard certificate and choose instead of preshared key is enough or do i need to do any other configuration.
3) document describing the configuration part of site to site vpn with wildcard certificate.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...