How to force ASA to reference the certificate?

breakbreak Member Posts: 20 ■□□□□□□□□□
in Off-Topic
I'm trying to set up a VPN between two remote sites utilizing 5510 ASAs. The VPN will need to use PKI certificates instead of pre-shared keys. I have attempted to generate a certificate request, pass it to a computer set up as a "test" CA, put the cert on the ASAs and selected the certificate on the ASDM.

After I did this, I found that if I changed the pre-shared key, the VPN tunnel would not form. How can I force the ASA to reference the certificate rather than the pre-shared key? Additionally, can I install the same certificate on each firewall or do I have to generate a new request from each device?

I have been working on this for a while with no success. Thanks in advance.
· Share on FacebookShare on Twitter

Comments

  • phoeneousphoeneous Member Posts: 2,333 ■■■■■■■□□□
    You created the cert from a pc and not the asa? ASA's can create certs themselves.
    · Share on FacebookShare on Twitter
  • apr911apr911 Member Posts: 380 ■■■■□□□□□□
    As Phoeneous said, the ASA is capable of generating its on cert but that doesnt mean you have to use it.

    Anyway, as to why you're still using the pre-shared-key its probably because you dont have an ISAKMP policy configured to use RSA-SIG.

    You'll need to setup a new ISAKMP policy with a lower policy number with Authentication specified as RSA-SIG.
    Currently Working On: Openstack
    2020 Goals: AWS/Azure/GCP Certifications, F5 CSE Cloud, SCRUM, CISSP-ISSMP
    · Share on FacebookShare on Twitter
  • breakbreak Member Posts: 20 ■□□□□□□□□□
    You were right. I had to change my isakmp policy to authentication rsa-sig. I'm still having difficulty figuring out how to generate the cert. The problem I face is that we are converting to using RSA-SIG and the signatures we are using have to be DoD approved, therefore coming from them and not my own ASA.
    · Share on FacebookShare on Twitter
Sign In or Register to comment.