cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
759
Views
0
Helpful
5
Replies
amrzakaria
Beginner

vpn site to site using PKI

Hello Every Body,

I’m new to this forum and this is my first post here, i have a question about vpn site to site with RSA-SIG (Using CA)

my question is in case that  i will use that kind of infrastructure after enrolling my certificates to my routers/FWs do i have to keep connections between my routers or FW and CA or just when the public Certificates and identity certifies are installed on my router or firewall there is no need to involve the CA any more actually i don't really understood the connection mechanism concept , other question is about in case that i have to keep connection between CA and routers/FWs and i use my private CA like 2003 server what is the best practices in this case , do i have to publish that CA to be reached from all sites over internet ? or setup CA server in every site and extract root certificate from one server and install it on the other CA severs on all sites ?

And thanks so much for your help

AMR ZAKARIA

1 ACCEPTED SOLUTION

Accepted Solutions
Jennifer Halim
Cisco Employee

You do not need to keep the connections between the routers/FW and the CA server. Once you have installed the CA server Root Certificate as well as the identity certificate that is requested, then there is no connection requires between the routers/FW and the CA server.

Here is a sample configuration for ASA site-to-site VPN with Certificate from Microsoft CA server for your reference:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080aa5be1.shtml

Hope this helps.

View solution in original post

5 REPLIES 5
Jennifer Halim
Cisco Employee

You do not need to keep the connections between the routers/FW and the CA server. Once you have installed the CA server Root Certificate as well as the identity certificate that is requested, then there is no connection requires between the routers/FW and the CA server.

Here is a sample configuration for ASA site-to-site VPN with Certificate from Microsoft CA server for your reference:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080aa5be1.shtml

Hope this helps.

View solution in original post

thanks so much Jennifer    for your quick reply  i will try the scnario in upcoming hours and i will update this conversion again .

AMR

"

You do not need to keep the connections between the routers/FW and the  CA server. Once you have installed the CA server Root Certificate as  well as the identity certificate that is requested, then there is no  connection requires between the routers/FW and the CA server."

that is NOT true.  What happened if you enable Certification Revocation List on the router/FW?  In other words, you remove the "crl optional" from the configuration?  How does the router determine if the certificate has been revoked?

I dont think he is talking about great depth and hence he hasnt covered CRL

I just finished testing the scenario , i established the vpn connection and then i switched off the interface of the CA server and of course cleared both isakmp and IPsec Association of the tunnel then I ping to test the connection while CA is totally out of the network (interface down) and both routers established the tunnel again without any problems so i think as Jennifer mentioned no need for the server after enrolling the certificates BTW command " revocation-check crl " by default was enabled , I will try to upload my scenario topology and configuration later .

Thanks for all of you it was really helpful discussion.

AMR ZAKARIA

CCSP