07-11-2011 04:13 AM
Hello Every Body,
I’m new to this forum and this is my first post here, i have a question about vpn site to site with RSA-SIG (Using CA)
my question is in case that i will use that kind of infrastructure after enrolling my certificates to my routers/FWs do i have to keep connections between my routers or FW and CA or just when the public Certificates and identity certifies are installed on my router or firewall there is no need to involve the CA any more actually i don't really understood the connection mechanism concept , other question is about in case that i have to keep connection between CA and routers/FWs and i use my private CA like 2003 server what is the best practices in this case , do i have to publish that CA to be reached from all sites over internet ? or setup CA server in every site and extract root certificate from one server and install it on the other CA severs on all sites ?
And thanks so much for your help
AMR ZAKARIA
Solved! Go to Solution.
07-11-2011 05:51 AM
You do not need to keep the connections between the routers/FW and the CA server. Once you have installed the CA server Root Certificate as well as the identity certificate that is requested, then there is no connection requires between the routers/FW and the CA server.
Here is a sample configuration for ASA site-to-site VPN with Certificate from Microsoft CA server for your reference:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080aa5be1.shtml
Hope this helps.
07-11-2011 05:51 AM
You do not need to keep the connections between the routers/FW and the CA server. Once you have installed the CA server Root Certificate as well as the identity certificate that is requested, then there is no connection requires between the routers/FW and the CA server.
Here is a sample configuration for ASA site-to-site VPN with Certificate from Microsoft CA server for your reference:
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080aa5be1.shtml
Hope this helps.
07-11-2011 09:36 AM
thanks so much Jennifer for your quick reply i will try the scnario in upcoming hours and i will update this conversion again .
AMR
07-11-2011 10:36 AM
"
You do not need to keep the connections between the routers/FW and the CA server. Once you have installed the CA server Root Certificate as well as the identity certificate that is requested, then there is no connection requires between the routers/FW and the CA server."
that is NOT true. What happened if you enable Certification Revocation List on the router/FW? In other words, you remove the "crl optional" from the configuration? How does the router determine if the certificate has been revoked?
07-11-2011 11:56 AM
I dont think he is talking about great depth and hence he hasnt covered CRL
07-13-2011 09:33 PM
I just finished testing the scenario , i established the vpn connection and then i switched off the interface of the CA server and of course cleared both isakmp and IPsec Association of the tunnel then I ping to test the connection while CA is totally out of the network (interface down) and both routers established the tunnel again without any problems so i think as Jennifer mentioned no need for the server after enrolling the certificates BTW command " revocation-check crl " by default was enabled , I will try to upload my scenario topology and configuration later .
Thanks for all of you it was really helpful discussion.
AMR ZAKARIA
CCSP
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide