cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
729
Views
0
Helpful
1
Replies

Site-to-Site VPN with certificates

Hi everyone,

I have a remote user with an ASA-5505 which needs to establish vpn tunnels to two different ASA-5520's. The remote user has a dynamic IP for his outside address.

I can configure it to work with DefaultL2LGroup for the pre-shared-key, but that creates security conflicts with my remote VPN users which use DefaultL2LGroup.

Is there a way to use digital certificates which I can generate from each ASA-5520, and manualy import the public keys into the ASA-5505.

I do mave multiple ASA-5505's but each only has to establish tunenls to the two different 5520's.

All the docutmention I can find uses a Microsoft CA and I want to set this up (unless it's a security breach) without one.

Is there a way to do this like with SSH where I can copy the public key to the remote end?

Thanks,

Carlos

1 Reply 1

Marcin Latosiewicz
Cisco Employee
Cisco Employee

Carlos,

Yes you can.

ASA supports both SCEP and copy-and-paste enrollment methods.

http://www.aboutcisco.biz/en/US/products/ps6120/products_configuration_example09186a00808a61cd.shtml

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080aa5be1.shtml

Please note that CRL/OCSP has to be publicly available in a scenario like this (or checking disabled).

Marcin

edit: spelling and added links.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: