Site-to-Site VPN using PKI | Certificates for Authentication (CCIE Notes)

The basic configuration of a Site-to-Site VPN in ASA remains the same except for a few commands. The previous post – Configuring Cisco IOS CA Server and Enrolling Cisco ASA to a CA Server shows how to configure the ASA to enroll to a CA and retrieve certificates that can be used for authenticating peers in an IPsec/SSL VPN.

Below are the additional or non-standard commands that you usually do not see in a Site-to-Site VPN config using pre-shared-key for authentication.


crypto ikev1 policy 10
 authentication rsa-sig
tunnel-group type ipsec-l2l
tunnel-group ipsec-attributes
 ikev1 trustpoint CISCO_CA
crypto map outside_map 10 set trustpoint CISCO_CA

Continue reading

Configuring Cisco IOS CA Server and Enrolling Cisco ASA to a CA Server (CCIE Notes)

Cisco IOS CA server configuration:

mkdir flash:/CISCO_CA

conf terminal
ip http server
ip domain name
crypto key generate rsa modulus 1024 label CISCO_CA
crypto pki server CISCO_CA
 issuer-name CISCO_CA
 database archive pem password cisco123
 grant auto
 lifetime certificate 365 
 lifetime ca-certificate 1095
 database url pem disk0:/CISCO_CA
 no shutdown
– Certificate server must use the same name as the key pair.
– Default CA certificate lifetime 3 years and the default certificate lifetime is 1 year.
– Cisco IOS CA Server only supports enrollments done via Simple Certificate Enrollment Protocol (SCEP). For this to work, the built-in HTTP server must be enabled.
– 3 database levels, Minimum (default), Names and Complete.
– Use NTP to make sure the time is in sync with the enrolling parties.
Continue reading