Site to Site VPN with Digital Certificate
-
Hi guys,
My friend has some doubts on ASA site to site vpn and he was looking for answers on some forums, forwarded me the query, thought of posting it in ML and see if I could help him.
Please check below request:
*I would like to know the requirements needed for configuring Site to Site VPN with Digital Certificate.
We have 3 geolocations and they are connect with site to site VPN. Currently we are using pre-shared key for authentication. To make more secure we are planning to use digital certificate instead of pre-shared.
I really don’t know which certificate can be used and how to configure. I have some doubts regarding that and I request anyone to help me.
-
Currently we have wildcard certificate for remote VPN, can we use that certificate for site to site authentication
-
Do we required any CA Server like Microsoft CA Server
-
Does certificate authentication support in fail-over scenario.
-
Do i need to create separate certificate for each ASA.
Please help me to configure Digital certificate authentication with 3 ASA 5510. Our plan is to configure this without a CA Server and using the current wildcard certificate.
Also request to provide me the prerequisite for asa site to site vpn certificate authentication, so that i can prepare a document based on that.*
Hope to get some advise from here to help him
-
-
I've wondered this myself, but more generically than just Ciscos and ASAs.
I did this with Barracudas when I demo'ed them a few years ago. The Barracuda each had their own self signed cert, and you imported their public key portion into the remote side for authentication.
I'm not sure how it would work if both sides are using the same wildcard cert - I would think you would loose a large part of the security.
