Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
817
Views
0
Helpful
1
Replies

IPsec VTI + PKI

hmdavies
Level 1
Level 1

‎11-24-2009 12:54 AM - edited ‎02-21-2020 04:23 PM

I have set up a lab using static VTI's and shared secrets, now I want to move this to use certs for

authentication, is this possible?

Current config is below

crypto isakmp policy 1
authentication pre-share
crypto isakmp key t3stk3yf0rp0cl4b0nly address 0.0.0.0 0.0.0.0
crypto isakmp keepalive 10 periodic
!

crypto ipsec transform-set poc-transform-set-1 esp-aes 256 esp-md5-hmac
mode transport
!

crypto ipsec profile poc-ipsecprofile1
set transform-set poc-transform-set-1
!
interface Tunnel200
ip address 10.169.3.26 255.255.255.252
keepalive 1 3
tunnel source Loopback200
tunnel destination 61.1.1.6
tunnel mode ipsec ipv4
tunnel protection ipsec profile poc-ipsecprofile1
!

Labels:
0 Helpful
1 Reply 1

jan.nielsen
Level 7
Level 7

‎11-24-2009 07:39 PM

Certainly, once your routers have a certificate, all you need is to remove the wildcard pre-shared key and the ike policy 1, and create one with something like :

cry isa pol 10

hash md5

authen rsa-sig

encry aes-256

group 5

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents