11-20-2018 02:38 AM - edited 02-21-2020 09:30 PM
Hi ,
I would like to know how to integrate PaloAlto and cisco router for point to point IPsec.
I followed below link for paloalto and for cisco router is followed below attachment.But it is not working yet.
i am not using gre tunnel and i use IPsec only and apply ipsec to physical interface.
I want to how to put ipsec configuration in cisco router if PaloAlto is using ikev2.
Please share me ike with CA authentication.
https://blog.webernetz.net/ipsec-site-to-site-vpn-palo-alto-cisco-router/
I also confuse in Ike v2 Profile command.
crypto ikev2 profile RTR1-RTR2-PROFILE
match identity remote fqdn RTR2.TEST <== can i put ip address ?
identity local fqdn RTR1.TEST <=== can i put ip address ,is it WAN address or local address ?
authentication remote rsa-sig
authentication local rsa-sig <=== why we should put this command ?
pki trustpoint CA-SVR
!
11-21-2018 07:43 AM
11-21-2018 09:36 PM
11-22-2018 12:39 AM
11-22-2018 12:44 AM
11-22-2018 12:54 AM
I'll have a look tonight, I am out of the office shortly. In the meantime, checkout this post, it should provide some pointers how to configure FlexVPN with certificates.
11-22-2018 03:55 AM - edited 11-22-2018 04:09 AM
hi ,
i thought it is my certificate error when phase 1 .
i got below error when i test in local.Please below my CA.
PKI-3-CERTIFICATE_INVALID_NOT_YET_VALID: Certificate chain validation has failed. The certificate (SN: 5500000022714B1CD619EFCABB000000000022) is not yet valid Validity period starts on 01:44:08 SGD Nov 23 2018 *Nov 22 19:12:17: %PKI-3-CERTIFICATE_INVALID_NOT_YET_VALID: Certificate chain validation has failed
R1#sh crypto pki certificates
Certificate
Status: Available
Certificate Serial Number (hex): 5500000021CB515F84C900A61C000000000021
Certificate Usage: General Purpose
Issuer:
cn=crypto-CASVR-CA-1
dc=crypto
dc=local
Subject:
Name: r1
cn=r1
CRL Distribution Points:
ldap:///CN=crypto-CASVR-CA-1,CN=CASVR,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=crypto,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint
Validity Date:
start date: 01:41:07 SGD Nov 23 2018
end date: 01:51:07 SGD Nov 23 2020
Associated Trustpoints: my-ca
CA Certificate
Status: Available
Certificate Serial Number (hex): 3E4E0CD6A71F67A54DB01767A4C7F840
Certificate Usage: Signature
Issuer:
cn=crypto-CASVR-CA-1
dc=crypto
dc=local
Subject:
cn=crypto-CASVR-CA-1
dc=crypto
dc=local
Validity Date:
start date: 18:08:09 SGD Oct 8 2018
end date: 18:18:08 SGD Oct 8 2023
Associated Trustpoints: my-ca
.
11-23-2018 03:55 AM
11-23-2018 06:18 PM
Hi,
May if i put some information in my ca trustpoint as below what will happening ? It will go in authentication ?
ip domain-name crypto.local
crypto key generate rsa general-key modulus 2048
crypto pki trustpoint my-ca
enrollment terminal
serial-number none
ip-address none
fqdn r1.crypto.local
subject-name cn=r1.crypto.local
revocation-check none
rsakeypair my-ca 2048
crypto pki authenticate my-ca
and if I am using certificate map i will map as below.
crypto pki certificate map my-ca 10
issuer-name co cn= crypto
if i am not using certificate map i will use as below
crypto ikev2 profile profile1
description IKEv2 profile
!
match address local dn
match identity remote any
authentication remote rsa-sig
authentication local rsa-sig
pki trustpoint my-ca
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: