Hi Ian,

ihadfield · ‎03-11-2014

Hello all,

I am trying to configure up a 2911 via the following link...

http://www.cisco.com/c/en/us/support/docs/security/flexvpn/115014-flexvpn-guide-cert-00.html

(AnyConnect to IOS Headend Over IPsec with IKEv2 and Certificates Configuration Example)

The only difference, is that I need the IOS router in the example (bsns-1941-4) to also be the IOS CA router (unlike the example which uses a different router, bsns-1941-3, as the CA). I am new to Client VPN and Certs so I am not sure what I am missing.

Is that even possible? Can a VPN headend use a certificate from itself (because it is the CA)? If so, what would that part of the configuration look like?

Thanks!

Ian

Marcin Latosiewicz · ‎03-12-2014

Hi Ian, Yes, you can do that. It's probably not the best idea for a big deployment :-) What you should do is enable IOS CA and create a new trustpoint using SCEP URL or local router. You will need to authenticate and enroll that trustpoint and reference it in the IKEv2 profile. M.

ihadfield · ‎03-13-2014

Thanks Marcin. Yeah, it is our OOB router so only about 4 people will be using it - not large at all. :-) I would have used another router as the CA but it is the only IOS router in the install (everything else is running NX-OS)

Do you have a good link on the CA set-up and enrolement procedure? I tried the link below but the 2911 does not have any of the "crypto ca" commands...

http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/50282-ios-ca-ios.html

Thanks

ihadfield · ‎03-13-2014

Nevermind - replacing the "ca" with "pki"

AnyConnect to IOS Headend who is Also CA?