The basic configuration of a Site-to-Site VPN in ASA remains the same except for a few commands. The previous post – Configuring Cisco IOS CA Server and Enrolling Cisco ASA to a CA Server shows how to configure the ASA to enroll to a CA and retrieve certificates that can be used for authenticating peers in an IPsec/SSL VPN.
Below are the additional or non-standard commands that you usually do not see in a Site-to-Site VPN config using pre-shared-key for authentication.
crypto ikev1 policy 10
tunnel-group 192.168.1.1 type ipsec-l2l
tunnel-group 192.168.1.1 ipsec-attributes
ikev1 trustpoint CISCO_CA
crypto map outside_map 10 set trustpoint CISCO_CA
Cisco IOS CA server configuration:
ip http server
ip domain name networkology.net
crypto key generate rsa modulus 1024 label CISCO_CA
crypto pki server CISCO_CA
database archive pem password cisco123
lifetime certificate 365
lifetime ca-certificate 1095
database url pem disk0:/CISCO_CA
– Certificate server must use the same name as the key pair.
– Default CA certificate lifetime 3 years and the default certificate lifetime is 1 year.
– Cisco IOS CA Server only supports enrollments done via Simple Certificate Enrollment Protocol (SCEP). For this to work, the built-in HTTP server must be enabled.
– 3 database levels, Minimum (default), Names and Complete.
– Use NTP to make sure the time is in sync with the enrolling parties.