cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
454
Views
1
Helpful
8
Replies

FMC managed FTDs site to site VPN using certs configuration

michael18
Beginner
Beginner

Im trying to replace site VPN using PSK with certificates. We have an internal CA that I am using.

I found a similar post here but when I deploy, the FMS shows deploy error on the head end FTD saying the cert needs to be enrolled.

is there a document on how to config site to site using FTDs managed by FMC and using certs rather than PSK

8 Replies 8

Rob Ingram
VIP Master VIP Master
VIP Master

Hi Rob

thanks for the info. ive followed sections, Manual Enrolment and Manual Certificate Renewal

I can see the cert on the remote FTD now via cli but when I change the config to use the cert the FMC still shows the error when deploying the change

Capture.JPG

 

 

 

@michael18 so once you've defined the manual enrollment, you then had the CSR signed and imported the Identity Certificate to complete the process? Once you've done that the status will be as per the image below.

RobIngram_0-1683036800353.jpeg

 

yes that all worked as expected

Capture2.JPG

@michael18 looks ok. You selected the desired certificate under the VPN topology configuration? What is the output of "show crypto ca trustpoints" on the CLI of the FTD?

hi Rob. yes the correct cert has been applied to the vpn.

Capture4.JPG

show output on remote ftd:

Capture3.JPG

Thanks

 

Its the head end that seems to be the problem. Im testing this with a FTD connected to a broadband. The remote end is called test-vpn-lab. The head end is an active FTD2140 call DCFPR2140

Capture.JPG

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers