FMC managed FTDs site to site VPN using certs configuration

michael18 · ‎05-02-2023

Im trying to replace site VPN using PSK with certificates. We have an internal CA that I am using.

I found a similar post here but when I deploy, the FMS shows deploy error on the head end FTD saying the cert needs to be enrolled.

is there a document on how to config site to site using FTDs managed by FMC and using certs rather than PSK

Rob Ingram · ‎05-02-2023

@michael18 yes you need to enroll the certificates via the FMC to install on the FTD.

Cisco guide:- https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/215849-certificate-installation-and-renewal-on.html

michael18 · ‎05-02-2023

Hi Rob

thanks for the info. ive followed sections, Manual Enrolment and Manual Certificate Renewal

I can see the cert on the remote FTD now via cli but when I change the config to use the cert the FMC still shows the error when deploying the change

Rob Ingram · ‎05-02-2023

@michael18 so once you've defined the manual enrollment, you then had the CSR signed and imported the Identity Certificate to complete the process? Once you've done that the status will be as per the image below.

michael18 · ‎05-02-2023

yes that all worked as expected

Rob Ingram · ‎05-02-2023

@michael18 looks ok. You selected the desired certificate under the VPN topology configuration? What is the output of "show crypto ca trustpoints" on the CLI of the FTD?

michael18 · ‎05-02-2023

hi Rob. yes the correct cert has been applied to the vpn.

show output on remote ftd:

Thanks

michael18 · ‎05-02-2023

Its the head end that seems to be the problem. Im testing this with a FTD connected to a broadband. The remote end is called test-vpn-lab. The head end is an active FTD2140 call DCFPR2140

MHM Cisco World · ‎05-02-2023

check this Quide

https://www.cisco.com/c/en/us/support/docs/network-management/remote-access/212424-anyconnect-remote-access-vpn-configurati.html