Solved: vpn site to site using PKI

amrzakaria · ‎07-11-2011

Hello Every Body,

I’m new to this forum and this is my first post here, i have a question about vpn site to site with RSA-SIG (Using CA)

my question is in case that i will use that kind of infrastructure after enrolling my certificates to my routers/FWs do i have to keep connections between my routers or FW and CA or just when the public Certificates and identity certifies are installed on my router or firewall there is no need to involve the CA any more actually i don't really understood the connection mechanism concept , other question is about in case that i have to keep connection between CA and routers/FWs and i use my private CA like 2003 server what is the best practices in this case , do i have to publish that CA to be reached from all sites over internet ? or setup CA server in every site and extract root certificate from one server and install it on the other CA severs on all sites ?

And thanks so much for your help

AMR ZAKARIA

Jennifer Halim · ‎07-11-2011

You do not need to keep the connections between the routers/FW and the CA server. Once you have installed the CA server Root Certificate as well as the identity certificate that is requested, then there is no connection requires between the routers/FW and the CA server.

Here is a sample configuration for ASA site-to-site VPN with Certificate from Microsoft CA server for your reference:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080aa5be1.shtml

Hope this helps.

View solution in original post

Jennifer Halim · ‎07-11-2011

You do not need to keep the connections between the routers/FW and the CA server. Once you have installed the CA server Root Certificate as well as the identity certificate that is requested, then there is no connection requires between the routers/FW and the CA server.

Here is a sample configuration for ASA site-to-site VPN with Certificate from Microsoft CA server for your reference:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080aa5be1.shtml

Hope this helps.

amrzakaria · ‎07-11-2011

thanks so much Jennifer for your quick reply i will try the scnario in upcoming hours and i will update this conversion again .

AMR

cciesec2011 · ‎07-11-2011

"

You do not need to keep the connections between the routers/FW and the CA server. Once you have installed the CA server Root Certificate as well as the identity certificate that is requested, then there is no connection requires between the routers/FW and the CA server."

that is NOT true. What happened if you enable Certification Revocation List on the router/FW? In other words, you remove the "crl optional" from the configuration? How does the router determine if the certificate has been revoked?

communication.boy · ‎07-11-2011

I dont think he is talking about great depth and hence he hasnt covered CRL

amrzakaria · ‎07-13-2011

I just finished testing the scenario , i established the vpn connection and then i switched off the interface of the CA server and of course cleared both isakmp and IPsec Association of the tunnel then I ping to test the connection while CA is totally out of the network (interface down) and both routers established the tunnel again without any problems so i think as Jennifer mentioned no need for the server after enrolling the certificates BTW command " revocation-check crl " by default was enabled , I will try to upload my scenario topology and configuration later .

Thanks for all of you it was really helpful discussion.

AMR ZAKARIA

CCSP