IOS Site-to-Site VPN using PKI (CCIE Notes)

This post is on the same lines as the previous one. The difference is in the configuration done on an ASA and an IOS device.

Configuration in IOS;

crypto pki trustpoint CISCO_CA
 enrollment url
 usage ike
 subject-name CN=R1, C=IN
crypto pki authenticate CISCO_CA
crypto pki enroll CISCO_CA
crypto isakmp policy 10
 authetication rsa-sig
!(OPTIONAL config below)
crypto isakmp peer address
 set aggressive-mode client-endpoint fqdn 
crypto isakmp peer address
 set aggressive-mode client-endpoint ipv4-address


  • NOT USING the ‘crypto isakmp peer’ command; It’s optional to use the ‘crypto isakmp peer’ statement. If this statement isn’t used, then the router uses IP as the client-endpoint and if IP isn’t found in the certificate, it uses the FQDN instead.
  • USING the ‘crypto isakmp peer’ command; you can either specify the client-endpoint as FQDN or IP address for a particular peer. Verify that either of the two is embedded in the certificate. Any way, FQDN is always present in the certificate even if not explicitly added because of the configured ‘hostname’ and ‘ip domain-name’. But IP address has to be manually added while creating a trustpoint and enrolling it to a CA.

Continue reading


Site-to-Site VPN using PKI | Certificates for Authentication (CCIE Notes)

The basic configuration of a Site-to-Site VPN in ASA remains the same except for a few commands. The previous post – Configuring Cisco IOS CA Server and Enrolling Cisco ASA to a CA Server shows how to configure the ASA to enroll to a CA and retrieve certificates that can be used for authenticating peers in an IPsec/SSL VPN.

Below are the additional or non-standard commands that you usually do not see in a Site-to-Site VPN config using pre-shared-key for authentication.


crypto ikev1 policy 10
 authentication rsa-sig
tunnel-group type ipsec-l2l
tunnel-group ipsec-attributes
 ikev1 trustpoint CISCO_CA
crypto map outside_map 10 set trustpoint CISCO_CA

Continue reading

NAT Traversal Debugs (CCIE Notes)

“NAT traversal (NAT-T) is a general term for techniques that establish and maintain IP connections traversing (NAT) gateways. Network address translation breaks end-to-end connectivity.Wikipedia

The below debugs were captured from an IOS router with an intermediary router NATing the peer IP address.

Continue reading

IOS Site-to-Site VPN | Main Mode (CCIE Notes)

Main Mode States:-

ISAKMP SA created but nothing else has happened

Peers have agreed on the ISAKMP SA parameters

Peers have exchanged DH keys and generated a shared secret. This sets up the base for authenticating the ISAKMP SA with pre-shared-key.

The SA has been authenticated. But this mode is not visible in debugs as it transitions immediately to QM_IDLE

ISAKMP SA is authenticated and idle and may be used for subsequent quick mode exchanges.


Phase 1 – (ISAKMP Policy and Pre-shared-key)

crypto isakmp policy 10
 encr 3des
 hash md5
 authentication pre-share
 group 2
crypto isakmp key cisco123 address

Phase 2 (Crypto ACL, transform-set, crypto map and egress interface) Continue reading

Site-to-Site VPN tunnel goes down when the Phase 2 IPSec Outbound SA lifetime threshold is reached (ASA 8.4 bug)

If you have recently upgraded to ASA 8.4 or above, you might have come across a VPN behavior where the outbound IPSec SA reaches it’s data lifetime threshold and you have to manually bounce the tunnel to bring it back up.

This happens because of a bug found in the code 8.4(2.240) and 8.6. The bug is such that the IPSec outbound SA in Phase 2 fails to rekey when the ‘data lifetime’ reaches it’s threshold limit (default 4608000). CSCtq57752 is the bug ID which you can lookup in the bug tool kit (requires a CCO login).

Continue reading