Question on VPN

themagicone

Alright I'm going through the CBT nuggets for CCNA:S. But here is a question that I'm stumped on. So you have 2 routers, say one in Phoenix and one in Tampa. The two routers are going to create a VPN together and are going to use Certificates. Well if the CA is in Phoenix, how does Tampa get a certificate that Phoenix will accept? Or do you have to manual install a certificate from Phoenix in Tampa?

I'll do some reading into, just a little confusing at this time. If both Tampa and Phoenix had their own CA, do you just add trust for each others CA? The Nugget didn't really covers this at all.

Thanks

instant000

themagicone wrote: »

Alright I'm going through the CBT nuggets for CCNA:S. But here is a question that I'm stumped on. So you have 2 routers, say one in Phoenix and one in Tampa. The two routers are going to create a VPN together and are going to use Certificates. Well if the CA is in Phoenix, how does Tampa get a certificate that Phoenix will accept? Or do you have to manual install a certificate from Phoenix in Tampa?

I'll do some reading into, just a little confusing at this time. If both Tampa and Phoenix had their own CA, do you just add trust for each others CA? The Nugget didn't really covers this at all.

Thanks

I'm not sure if the trusting of CA's is covered in the text or not (it probably is, but I read in scatterings, so my mind is not well-placed)

But, I can tell you this much

Trusts between CA's would mean that you are trusting someone else to provide an authority that only you should have. As soon as you allow this outside of your control, you are giving up all the control that the CA has in the first place. I have never seen this implemented. Most times I've read this, they hammer on-and-on about how you have to give CONTROL to the CA, and you have to TRUST the CA. Now, you're having all this control and trust diluted, if you then have this CA trusting a different CA ... what if their standards aren't as strict as yours?

What you'd probably see is this:

Router1: Phoenix
Router2: Tampa
CA1: Phoenix

Router1 and Router2 have both receiving their certificate enrollments from CA1. Keep in mind that the private certificate is generated on the device. You cannot view the private certificate, even for security purposes. It's not available for observation, only the public certificate is.

When Router1 wants to talk to Router2, it can ask CA1 for verification of the public certificate of Router2. This way, someone is vouching for Router2, instead of itself.

The same is happening in reverse, in that CA1 vouches for Router1, when Router2 wants to communicate with Router1.

Let me see if I can find something that will help you catch on to this:

Try these three links, they might help out some.

http://www.cisco.com/web/offer/emea/netacad/WSP01_Implementation_of_Security_Devices_JHigginsRSmith.ppt
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/ps6664/product_data_sheet0900aecd80313df7.pdf
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/ps6664/product_data_sheet0900aecd80313df4.pdf