Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6208
Views
0
Helpful
4
Replies

ASA site to site vpn with certificate authentication

adamgibs7
Level 6
Level 6

‎03-19-2018 08:02 AM - edited ‎02-21-2020 07:32 AM

Dears,

Currently I m having a site to site vpn with pre-shared keys , I want to move to digital certificate authentication by a (globalsign or verisign or godaddy) , can anybody route me to the step by step configuration for ikev2 with certificate authentication.

I am having lots of doubts related to the configuration of certificates such as csr, import and the other company certificates what keys i have to install in my ASA etc etc,

 

Thanks

 

Labels:
0 Helpful
4 Replies 4

Florin Barhala
Level 6
Level 6

‎03-19-2018 09:00 AM

I would carefully read Cisco ASA VPN config guide.

Here's 9.6 config: https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/vpn/asa-96-vpn-config/vpn-ike.html#ID-2441-0000053a
0 Helpful

adamgibs7
Level 6
Level 6
In response to Florin Barhala

‎03-19-2018 02:21 PM

Dear Florin

here are the steps that i know but  how the 2 parties authenticate each other by certificate what identity firewall A takes with him when initiating a connection to firewall B and firewall B authenticates firewall A on basis of what??? can anybody explain ???

 

Firewall A steps

  1. generated a self signed certificate
  2. generated a CSR
  3. we gave a csr to globalsign for signing
  4. globalsign signed the certificate and gave to us with his root and intermediate certificate.
  5. i have install the certificate and the work is over on Firewall A

Firewall B Steps

  1. generated a self signed certificate
  2. generated a CSR
  3. we gave a csr to godaddy for signing
  4. godaddy signed the certificate and gave to us with his root and intermediate certificate.
  5. i have install the certificate and the work is over on Firewall B

 

0 Helpful

Octavian Szolga
Level 4
Level 4
In response to adamgibs7

‎03-19-2018 02:57 PM

Hi,

Besides the steps you've details you should import the CA that signed your peer's cert and vicecersa if different.

Regarding the mutual authentication happening in there, each deivice would present its own cert (public key) to its peer.

The key point here is that:

1. Each device would check the issuer of the cert it received from its peer using its local CA certs (was is signed by Verisgn and valid/not revoked (CRL/OCSP)

2. Can you prove that you also have the (pair) private key of the cert you previsouly sent? If so, you could sign/encrypt a piece of data I'll send to you.

 

Not sure about the specific details regarding the math behind it, but the concept is more or less the same.

 

Thanks,

Octavian

0 Helpful

Florin Barhala
Level 6
Level 6
In response to adamgibs7

‎03-20-2018 02:15 AM

Lucky for me :) I stayed away of cert_based VPNs : ))
I would fully rely on the config guide, you should find there step by step configuration. Did you read it?
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card