IPSEC tunnel b/w ASA 5520 using certs

gil6ert · ‎12-13-2006

Hi all

I have 2 ASA5520 in each rack running Active/Standby. IPSEC tunnel b/w the racks using the PSK works fine however when trying to use digital certificates, i cant get passed Ph1. My trustpoint seems to be configured correctly in each rack holding the root CA and my an identity cert for the relevant ASA imported against the trustpoint. Enrollment was done manually.

My debugs show that the tunnel is still trying to use PSK. i was runing 7.2(1) and have upgraded to 7.2(2) today with no luck....i've posted a partial config and debug outputs. any help would be appreciated.

ajagadee · ‎12-13-2006

Gilbert,

Do you have isakmp identity as address or hostname. If you "Isakmp Identity Address" on your Pix Configuration, this could be one of the reason for Phase 1 of your VPN Tunnel not coming up.

You have to configure "Isakmp Identity Hostname" when using Certificates and rsa-sig.

In case, you have VPN L2L Tunnels or Clients using Pre-shared Keys, then you could configure "Isakmp Identity Auto" and then try to bring up the tunnel, and see if it works.

Please refer the URL for details on the command:

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/config/ike.htm

Regards,

Arul

** Please rate all helpful posts **

gil6ert · ‎12-13-2006

Thanks for the tip Arul.

i do have client vpn using PSK also configured therefore my identity was set to auto. i did however managed to get it to work with an engineer from the TAC. see below

"crypto map Outside_map 1 set trustpoint ALMVPN" which maps it to the trustpoint.

tunnel-group 10.29.71.22 ipsec-attributes

peer-id-validate cert <<

chain <<

trust-point ALMVPN

thanks mate.