topic Re: Firepower VPN Question in Network Security

Firepower VPN Question

benolyndav — Thu, 22 Feb 2024 14:02:20 GMT

WE are going be setting up 12 site to site vpns to a 3rd party provider and they have said they will send us their root cert and we just need to create intermediates for the 12 tunnels from the root cert, is this possible and if so how please.??

Thanks

Re: Firepower VPN Question

Rob Ingram — Thu, 22 Feb 2024 14:30:11 GMT

@benolyndav are you sure they said create intermediates for the tunnels? You'd exchange root certificates and deploy to the FTD to mutual authenticate when establishing the VPN.

Re: Firepower VPN Question

MHM Cisco World — Thu, 22 Feb 2024 14:32:49 GMT

the VPN cert. or CA cert. ?
if VPN cert. then you can generate self signed cert. and send to them
they will use this self signed for VPN auth
FTD VPN Certificate authentication – integrating IT (wordpress.com)

MHM

Re: Firepower VPN Question

balaji.bandi — Thu, 22 Feb 2024 14:40:24 GMT

check below guide :

https://www.cisco.com/c/en/us/td/docs/security/firepower/70/configuration/guide/fpmc-config-guide-v70/firepower_threat_defense_certificate_based_authentication.html#Cisco_Reference.dita_0baaa057-10eb-49cc-8d97-d3be75c7294f

https://integratingit.wordpress.com/2018/11/10/ftd-vpn-with-certificates/

Re: Firepower VPN Question

benolyndav — Thu, 22 Feb 2024 14:46:45 GMT

Yes thats what I thought just use Root for the 12 tunnels, I never questioned it as it was in an email but its confusing.

Re: Firepower VPN Question

benolyndav — Thu, 22 Feb 2024 16:23:19 GMT

Hi @Rob Ingram
So if I want to Use 3rd party Root Cert where will this need adding my side, ???

Thanks

Re: Firepower VPN Question

Rob Ingram — Thu, 22 Feb 2024 16:36:03 GMT

@benolyndav you can just create a new trustpoint and import the CA certificate and then attach to the FTDs.

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/720/management-center-device-config-72/objects-certs.html#task_blc_3nw_vy

Re: Firepower VPN Question

benolyndav — Thu, 22 Feb 2024 17:00:04 GMT

Hi @Rob Ingram

Im still a bit confused if they send me a cert does this mean I can simply add this cert to our FTD or do I still have to do some form of enrollment .??

Thanks

Re: Firepower VPN Question

Rob Ingram — Thu, 22 Feb 2024 17:07:32 GMT

@benolyndav yes use manual enrollment and import the peers CA certificate only.

Re: Firepower VPN Question

benolyndav — Mon, 04 Mar 2024 16:43:16 GMT

@Rob Ingram
would it still need adding to Trusted Root as well.???

Thanks

Re: Firepower VPN Question

Rob Ingram — Mon, 04 Mar 2024 16:50:39 GMT

@benolyndav I assume you are referring to Trusted CA under Objects > PKI? ..then no

You enrol the certificates (under Devices > Certificates) to the FTD which creates the trustpoint on the FTD with the relevant certificates.

Re: Firepower VPN Question

benolyndav — Mon, 04 Mar 2024 17:04:23 GMT

Hi @Rob Ingram
So add cert enrollment give it a name, then select Manual and check CA only, I try saving and it dosent allow me to move forward ???

---Paste CA certificate in PEM format here ????

Re: Firepower VPN Question

Rob Ingram — Mon, 04 Mar 2024 17:09:07 GMT

@benolyndav you can import the CA certificate only (no identity certificate) since 6.7, I assume you are using 6.7 or newer?

Can you provide a screenshot of what you are doing and the error in context please? How are you trying to import the certificate? You can just copy and paste the CA certificate contents into the field, assuming it's the correct format.

Re: Firepower VPN Question

benolyndav — Mon, 04 Mar 2024 18:13:39 GMT

@Rob Ingram Its in .crt format ??

Re: Firepower VPN Question

Rob Ingram — Mon, 04 Mar 2024 18:17:38 GMT

@benolyndav a PEM file can use .crt file extension. PEM files starts with -----BEGIN CERTIFICATE-----

Open the CA certificate file into notepad, copy and paste this.

Re: Firepower VPN Question

benolyndav — Mon, 04 Mar 2024 18:42:56 GMT

@Rob Ingram so thats on there now under manual enrollment Manual (CA Only) thanks for that, whats the next step please ??

Thanks

Re: Firepower VPN Question

Rob Ingram — Mon, 04 Mar 2024 18:47:32 GMT

@benolyndav ok, so is this enrolled under the FTD ( from FMC under Devices > Certificates)?

If so this will have created the trustpoint on the FTD, from the FTD you can run "show crypto ca certificates" to confirm the trustpoint is created.

Re: Firepower VPN Question

benolyndav — Mon, 04 Mar 2024 18:56:26 GMT

@Rob Ingram Ah Ah, I see it, do I have to create a cert map now?
thank you for your assistance so far

Re: Firepower VPN Question

benolyndav — Tue, 05 Mar 2024 08:06:10 GMT

@Rob Ingram

And also I have used CA only for the enrollment, In the documentation I see it states recieving an Identity Certificate ? its all rather confusing.?

Thanks

Re: Firepower VPN Question

benolyndav — Tue, 05 Mar 2024 08:07:09 GMT

@Rob Ingram

Yes its in there I see it