IOS Site-to-Site VPN using PKI (CCIE Notes)

This post is on the same lines as the previous one. The difference is in the configuration done on an ASA and an IOS device.

Configuration in IOS;

crypto pki trustpoint CISCO_CA
 enrollment url http://10.3.3.3:80
 usage ike
 subject-name CN=R1, C=IN
 ip-address 10.1.1.1
 fqdn R1.networkology.net
crypto pki authenticate CISCO_CA
crypto pki enroll CISCO_CA
!
crypto isakmp policy 10
 authetication rsa-sig
!
!
!(OPTIONAL config below)
!
!
crypto isakmp peer address 10.2.2.1
 set aggressive-mode client-endpoint fqdn r2.networkology.net 
!
!OR
!
crypto isakmp peer address 10.2.2.1
 set aggressive-mode client-endpoint ipv4-address 10.2.2.1

Notes:

  • NOT USING the ‘crypto isakmp peer’ command; It’s optional to use the ‘crypto isakmp peer’ statement. If this statement isn’t used, then the router uses IP as the client-endpoint and if IP isn’t found in the certificate, it uses the FQDN instead.
  • USING the ‘crypto isakmp peer’ command; you can either specify the client-endpoint as FQDN or IP address for a particular peer. Verify that either of the two is embedded in the certificate. Any way, FQDN is always present in the certificate even if not explicitly added because of the configured ‘hostname’ and ‘ip domain-name’. But IP address has to be manually added while creating a trustpoint and enrolling it to a CA.

Continue reading

Site-to-Site VPN using PKI | Certificates for Authentication (CCIE Notes)

The basic configuration of a Site-to-Site VPN in ASA remains the same except for a few commands. The previous post – Configuring Cisco IOS CA Server and Enrolling Cisco ASA to a CA Server shows how to configure the ASA to enroll to a CA and retrieve certificates that can be used for authenticating peers in an IPsec/SSL VPN.

Below are the additional or non-standard commands that you usually do not see in a Site-to-Site VPN config using pre-shared-key for authentication.

Configuration:

crypto ikev1 policy 10
 authentication rsa-sig
!
tunnel-group 192.168.1.1 type ipsec-l2l
tunnel-group 192.168.1.1 ipsec-attributes
 ikev1 trustpoint CISCO_CA
!
crypto map outside_map 10 set trustpoint CISCO_CA

Continue reading