CA trustpoint for IPsec authentication

oldcreek12 · ‎08-10-2010

Hi, I have a situation I am not sure how I should implement it, I need some help to better understand how certificate authentication for IPsec works.

ASA has SSL certificate signed by well-known third party, trustpoint of this third party CA, certificate of third party CA as well as identity certificate of this ASA signed this CA are configured/installed on ASA, SSL remote access VPN is working fine, pre-shared key has been used for authentication of IPsec site2site and remote-access VPN.

We now have an application that requires certificate authentication for IPsec remote-access VPN, we run our internal Windows CA server, the new IPsec remote clients will enroll to and get certificate from this internal CA. In order for certificate authentication work, can I simply configure another trustpoint pointing to this internal CA on ASA and install well-known third party CA on clients? in a sense, will certificate authentication work if ASA and client identity certificates are issued by different CA ? given that the CAs are trusted by each other.

Thanks,

oldcreek12 · ‎08-11-2010

or, can I install a second identity certificate issued by internal CA and let ISAKMP trust this CA, this way ASA and clients can have the same CA. Logically this should be doable, I just want to make sure that installing second identity cert won't affect existing working SSL-VPN.