cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
441
Views
5
Helpful
6
Replies

Site to Site VPN from FTD to a 3rd party using certificate not PSK

raycourtney
Beginner
Beginner

Hi

We have a requirement to set up a Site to Site VPN from FTD using FMC to a 3rd party using certificate not PSK.

I have set up 100's of VPNs on IOS and ASA with PSK but never with certs on a FTD.

Can anyone point me towards a resource/how-to?

 

A particular question is what certs to use at either end?  Do we just each get a cert from out local AD or do they need to come from the same CA?  or an internet CA?

 

Thanks for your help!!!

2 Accepted Solutions

Accepted Solutions

@raycourtney yes you need to exchange the CA certificates to trust the certificates.

You might need to network access the peer's CRL server if you want to perform certificate revocation checks, you don't have to do this however.

View solution in original post

@raycourtney  This or This guide might help you creating your local certificate and configuring the VPN. You would then need to go to objects > PKI > Trusted CAs to add the peer's CA certificate in order to establish trust when authenticating.

View solution in original post

6 Replies 6

Rob Ingram
VIP Master VIP Master
VIP Master

@raycourtney the certificates do not necessarily need to be issued by the same CA, the FTD just needs to trust both certificates. So upload the CA certificate of the CA that signs your certificate and if different upload the CA certificate of the peer.

Thanks Rob.

So we don't need to be able to see each other's CA, we just need to exchange CA certs so that the VPN certs are trusted?

@raycourtney yes you need to exchange the CA certificates to trust the certificates.

You might need to network access the peer's CRL server if you want to perform certificate revocation checks, you don't have to do this however.

Thanks @Rob Ingram 

 

Are there any good how-to guides for the FMC?

 

@raycourtney  This or This guide might help you creating your local certificate and configuring the VPN. You would then need to go to objects > PKI > Trusted CAs to add the peer's CA certificate in order to establish trust when authenticating.

Awesome!  Thanks for that  @Rob Ingram 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers