Re: Configuring Site to Site IPSec with CA support

o.oresotu · ‎02-16-2004

I'm going through an MPLS cloud to connect to a remote Router.I therefore want to configure IPSec with CA support to secure my VPN link. After the configuration of the IPSec and CA. i noticed that the CA server is not issing a new certificate to the routers but give it own's (server) certificate and hence the IPSec in not encrypting traffic.What could i be doing wrong find attched the config of Routers

nikhil_m · ‎02-22-2004

Could you find what was wrong? thanks

gmiiller · ‎02-22-2004

Your configuration looks like an interesting blend of authentication options. You say that you want to use certificates, so here goes:

1 In your isakmp policy, you shouldn't need to specify an authentication method, because certificates are the default.

2 If you are using certificates, there are two processes that you need to complete with the CA, the authentication phase (crypto ca authenticate domain.name) and an enrollment phase (crypto ca enroll domain.name) When you complete the first phase, you receive the ca certificate as appears in your key chain, you won't receive your routers own certificate until you complete the enrollment phase.

Like I said, I'm a little concerned that you have a mix of authentication commands on your router. If you are looking at a single point-point encrypted link, then encrypted nonces may be a better option than certificates, as it doesn't require any trust in a third party (the CA)