Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Support required for ASA Site to Site VPN with Digital Certificate without CA Server.

Hello,

 

I would like to know the requirements needed for configuring Site to Site VPN with Digital Certificate.

 

We have 3 geolocations and they are connect with site to site VPN. Currently we are using pre-shared key for authentication. To make more secure we are planning to use digital certificate instead of pre-shared.

I really don’t know which certificate can be used and how to configure. I have some doubts regarding that and I request anyone to help me.

 

1) Currently we have wildcard certificate for remote VPN, can we use that certificate for site to site authentication

2) Do we required any CA Server like Microsoft CA Server

3) Does certificate authentication support in fail-over scenario.

4) Do i need to create separate certificate for each ASA.

Please help me to configure Digital certificate authentication with 3 ASA 5510. Our plan is to configure this without a CA Server and using the current wildcard certificate.

 

Also request to provide me the prerequisite for asa site to site vpn certificate authentication, so that i can prepare a document based on that.

 

Thanks in advance

Everyone's tags (1)
5 REPLIES
Hall of Fame Super Silver

There is a Cisco document

There is a Cisco document here describing setting up site-site VPN with certificate-based authentication instead of the more commonly used pre-shared key.

The example uses a Microsoft CA but you could leave out that part and instead use your existing wildcard certificate. The key point is that all ASAs have a certificate issued by a common trusted certificate authority.

Community Member

Thanks Marvin Rhoads for the

Thanks Marvin Rhoads for the quick response. 

Community Member

You can use your wildcard

You can use your wildcard certs, (just remember you need to import the root and intermediate certs into the ASA's as well) like so. As Marvin suggested I tent to prefer using a clinets own CA and NDES. Whichever road you go down remember if you have CRL checking enabled - the ASA's need to be able to see the CRL server (ie resolve its name), AND be able to contact it. 

 

Pete

Community Member

Thanks for all for the

Thanks for all for the support. 

Imported the wildcard certificate into two asa and i can see two certificate under CA Certificate-->Issued to--> one is SHA2 Secure Server CA and other is Global Root CA.

Created a tunnel using the certificate ,but the tunnel is not showing. Try to change with presharded key and found that tunnel is working fine with preshared key .

I try to debug the crypto isakmp when configured with certificate and i can see these errors

* Received an un-encrypted INVALID_COOKIE notify message, dropping
* Information Exchange processing failed
*Header invalid, missing SA payload
*No preshared key configured for group
*Can't find a valid tunnel group, aborting...!

 

I request you all to please clear my points

1) Do i need to create a DNS entry for my ASA public IP for certificate .

2) Just import the wildcard certificate and choose instead of preshared key is enough or do i need to do any other configuration.

3) document describing the configuration part of site to site vpn with wildcard certificate.

 

Community Member

1) Do i need to create a DNS

1) Do i need to create a DNS entry for my ASA public IP for certificate .

Yes, assuming the ASA can perform a DNS lookup. If not you need to create host entries on the firewall.

2) Just import the wildcard certificate and choose instead of preshared key is enough or do i need to do any other configuration.

Essentially yes, you may also need to inport the root certificate of the entity that issued your wildcard cert.

3) document describing the configuration part of site to site vpn with wildcard certificate.

You simply need to change from auth pre-share to cert.

 

PL

820
Views
0
Helpful
5
Replies
CreatePlease to create content