Question on VPN

themagiconethemagicone Member Posts: 674
Alright I'm going through the CBT nuggets for CCNA:S. But here is a question that I'm stumped on. So you have 2 routers, say one in Phoenix and one in Tampa. The two routers are going to create a VPN together and are going to use Certificates. Well if the CA is in Phoenix, how does Tampa get a certificate that Phoenix will accept? Or do you have to manual install a certificate from Phoenix in Tampa?

I'll do some reading into, just a little confusing at this time. If both Tampa and Phoenix had their own CA, do you just add trust for each others CA? The Nugget didn't really covers this at all.

Thanks
Courses Completed at WGU: JIT2, LYT2, TFT2, SJT2, BFC2, TGT2, FXT2
Courses Required For Me To Graduate WGU in MS: IT Network Managment: MCT2, LZT2, MBT1, MDT2, MNT2
CU Done this term: 16 Total CU Done: 19
Currently working on: Nothing Graduation Goal: 5/2013

Comments

  • instant000instant000 Member Posts: 1,745
    Alright I'm going through the CBT nuggets for CCNA:S. But here is a question that I'm stumped on. So you have 2 routers, say one in Phoenix and one in Tampa. The two routers are going to create a VPN together and are going to use Certificates. Well if the CA is in Phoenix, how does Tampa get a certificate that Phoenix will accept? Or do you have to manual install a certificate from Phoenix in Tampa?

    I'll do some reading into, just a little confusing at this time. If both Tampa and Phoenix had their own CA, do you just add trust for each others CA? The Nugget didn't really covers this at all.

    Thanks

    I'm not sure if the trusting of CA's is covered in the text or not (it probably is, but I read in scatterings, so my mind is not well-placed)

    But, I can tell you this much

    Trusts between CA's would mean that you are trusting someone else to provide an authority that only you should have. As soon as you allow this outside of your control, you are giving up all the control that the CA has in the first place. I have never seen this implemented. Most times I've read this, they hammer on-and-on about how you have to give CONTROL to the CA, and you have to TRUST the CA. Now, you're having all this control and trust diluted, if you then have this CA trusting a different CA ... what if their standards aren't as strict as yours?

    What you'd probably see is this:

    Router1: Phoenix
    Router2: Tampa
    CA1: Phoenix

    Router1 and Router2 have both receiving their certificate enrollments from CA1. Keep in mind that the private certificate is generated on the device. You cannot view the private certificate, even for security purposes. It's not available for observation, only the public certificate is.

    When Router1 wants to talk to Router2, it can ask CA1 for verification of the public certificate of Router2. This way, someone is vouching for Router2, instead of itself.

    The same is happening in reverse, in that CA1 vouches for Router1, when Router2 wants to communicate with Router1.

    Let me see if I can find something that will help you catch on to this:

    Try these three links, they might help out some.

    http://www.cisco.com/web/offer/emea/netacad/WSP01_Implementation_of_Security_Devices_JHigginsRSmith.ppt
    http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/ps6664/product_data_sheet0900aecd80313df7.pdf
    http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/ps6664/product_data_sheet0900aecd80313df4.pdf
    Currently Working: CCIE R&S
    LinkedIn: http://www.linkedin.com/in/lewislampkin (Please connect: Just say you're from TechExams.Net!)
Sign In or Register to comment.