cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

568
Views
0
Helpful
1
Replies
oldcreek12
Beginner

CA trustpoint for IPsec authentication

Hi, I have a situation I am not sure how I should implement it, I need some help to better understand how certificate authentication for IPsec works.

ASA has SSL certificate signed by well-known third party, trustpoint of this third party CA, certificate of third party CA as well as identity certificate of this ASA signed this CA are configured/installed on ASA, SSL remote access VPN is working fine, pre-shared key has been used for authentication of IPsec site2site and remote-access VPN.


We now have an application that requires certificate authentication for IPsec remote-access VPN, we run our internal Windows CA server, the new IPsec remote clients will enroll to and get certificate from this internal CA. In order for certificate authentication work, can I simply configure another trustpoint pointing to this internal CA on ASA and install well-known third party CA on clients? in a sense, will certificate authentication work if ASA and client identity certificates are issued by different CA ? given that the CAs are trusted by each other.

Thanks,

1 REPLY 1
oldcreek12
Beginner

or, can I install a second identity certificate issued by internal CA and let ISAKMP trust this CA, this way ASA and clients can have the same CA. Logically this should be doable, I just want to make sure that installing second identity cert won't affect existing working SSL-VPN.

Content for Community-Ad