Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1316
Views
0
Helpful
2
Replies

Site to Site VPN with rsa-sig

Thomas Schmitt
Level 1
Level 1

‎03-18-2013 05:22 AM

Hello

I can't understand why do I have to attach the trustpoint to the crypto map - like this

ASA(config)# crypto map <MAP> <10> set trustpoint <CA>

I mean on IOS it works fine without this configuration - so if this is a security issue, then we should NOT use the rsa signature authentication on IOS. If it secure without this command, then why it is here and why do i have to use it (without it I was not able to establish IPsec tunnel between 2 ASAs).

So what this command does und why do we need it only on ASA?

Thanks

Labels:
0 Helpful
2 Replies 2

Andrew Phirsov
Level 7
Level 7

‎03-18-2013 06:16 AM

This is needed when ASA acts as initiator of vpn-tunnel.

In that case, by default there is no tunnel-group associated with outgoing connections, and the authentication attributes could not be properly defined if you don't define it using this command.

0 Helpful

Javier Portuguez
Level 9
Level 9

‎03-18-2013 06:29 AM

Dmytro,

To begin with, the ASA and the Router are two different devices, so you cannot expect the same behavior from both.

On the other hand, please check this out:

crypto map set trustpoint

To specify the trustpoint that identifies the certificate to send for authentication during Phase 1 negotiations for the crypto map entry, use the crypto map set trustpoint command in global configuration mode.

This crypto map command is valid only for initiating a connection..

So it has be in your configuration

HTH.

Portu.

0 Helpful
Customers Also Viewed These Support Documents