Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1236
Views
5
Helpful
3
Replies

Configuring site to site IPSec VPN with different SubCA

Go to solution
premnath2323
Level 1
Level 1

‎10-28-2018 12:00 PM - edited ‎02-21-2020 09:29 PM

I have 2 routers and want to configure site to site IPSec tunnel between them by enrolling to  different sub-CA trustpoints in each router. These sub-CA's have common root CA

eg:

root CA - SubCA1

root CA - SubCA2 

is the hierarchy

 

configuration in R1:

 

crypto pki trustpoint SubCA1
enrollment mode ra
enrollment url http://192.168.19.160:80/certsrv/mscep/mscep.dll
usage ike
serial-number
ip-address none
subject-name cn=ROUTER3 ou=abc o=abc.net
revocation-check none
rsakeypair IPSEC_KEY

 

configuration in R2 :

 

crypto pki trustpoint SubCA2
enrollment mode ra
enrollment url http://192.168.19.161:80/certsrv/mscep/mscep.dll
usage ike
serial-number
ip-address none
subject-name cn=ROUTER4 ou=abc o=abc.net
revocation-check none
rsakeypair IPSEC_KEY

 

I will authenticate and enroll to each of the trustpoints in R1 and R2(I will get signed certificate and cert chain) .should I also configure trustpoint for ROOT CA and authenticate for IPSec to work ?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎10-28-2018 08:47 PM

Hi

You should have the full chain then yes create a trustpoint for RootCA to get the root certificate.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

3 Replies 3

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎10-28-2018 08:47 PM

Hi

You should have the full chain then yes create a trustpoint for RootCA to get the root certificate.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Go to solution
premnath2323
Level 1
Level 1
In response to Francesco Molino

‎10-29-2018 09:30 AM

Hi,

 

Thank you for quick response , suppose I have

Root-CA---> Sub CA1 ----> Sub CA2

Root-CA---> Sub CA3 ----> Sub CA4

 

This kind of certificate chain between peers , should I authenticate Sub-CA1,root-CA in router1 and Sub-CA3,root-CA in router2 .Precisely is it enough if I just have root CA certificate or all intermediate CA's in CSR's database

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to premnath2323

‎11-01-2018 06:58 PM

You don't need all subCA as they all report to your RootCA. Normally certificates given by your SubCA1 would be the same as the one delivered by SubCA3. You will be able to authenticate using 1 cert signed by SubCA1 on one side and 1 cert signed by subCA3 on the other side.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Customers Also Viewed These Support Documents