Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
701
Views
5
Helpful
6
Replies

Site to Site VPN from FTD to a 3rd party using certificate not PSK

Go to solution
raycourtney
Level 1
Level 1

‎01-10-2022 09:26 AM

Hi

We have a requirement to set up a Site to Site VPN from FTD using FMC to a 3rd party using certificate not PSK.

I have set up 100's of VPNs on IOS and ASA with PSK but never with certs on a FTD.

Can anyone point me towards a resource/how-to?

 

A particular question is what certs to use at either end?  Do we just each get a cert from out local AD or do they need to come from the same CA?  or an internet CA?

 

Thanks for your help!!!

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to raycourtney

‎01-10-2022 09:37 AM

@raycourtney yes you need to exchange the CA certificates to trust the certificates.

You might need to network access the peer's CRL server if you want to perform certificate revocation checks, you don't have to do this however.

View solution in original post

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to raycourtney

‎01-11-2022 04:56 AM

@raycourtney  This or This guide might help you creating your local certificate and configuring the VPN. You would then need to go to objects > PKI > Trusted CAs to add the peer's CA certificate in order to establish trust when authenticating.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Rob Ingram
VIP
VIP

‎01-10-2022 09:29 AM

@raycourtney the certificates do not necessarily need to be issued by the same CA, the FTD just needs to trust both certificates. So upload the CA certificate of the CA that signs your certificate and if different upload the CA certificate of the peer.

0 Helpful

Go to solution
raycourtney
Level 1
Level 1
In response to Rob Ingram

‎01-10-2022 09:32 AM

Thanks Rob.

So we don't need to be able to see each other's CA, we just need to exchange CA certs so that the VPN certs are trusted?

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to raycourtney

‎01-10-2022 09:37 AM

@raycourtney yes you need to exchange the CA certificates to trust the certificates.

You might need to network access the peer's CRL server if you want to perform certificate revocation checks, you don't have to do this however.

0 Helpful

Go to solution
raycourtney
Level 1
Level 1
In response to Rob Ingram

‎01-11-2022 03:01 AM

Thanks @Rob Ingram 

 

Are there any good how-to guides for the FMC?

 

Go to solution
Rob Ingram
VIP
VIP
In response to raycourtney

‎01-11-2022 04:56 AM

@raycourtney  This or This guide might help you creating your local certificate and configuring the VPN. You would then need to go to objects > PKI > Trusted CAs to add the peer's CA certificate in order to establish trust when authenticating.

0 Helpful

Go to solution
raycourtney
Level 1
Level 1
In response to Rob Ingram

‎01-11-2022 07:01 AM

Awesome!  Thanks for that  @Rob Ingram 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents