Site-to-Site VPN Setup Using PKI

ASDM supports VPN tunnels using RSA signatures (PKI) for IKE authentication. Before a site-to-site tunnel can be set up, ASDM must have knowledge of the preinstalled certificates. If certificates are not installed on Cisco ASA, you need to follow the steps discussed in this section to retrieve both root and identity certificates from the certificate authority (CA). Figure 21-11 illustrates two Cisco ASA set up for a site-to-site tunnel using PKI. The CA server resides on the outside interfaces of Cisco ASA at 209.165.202.130.

Figure 21-11. Site-to-Site Tunnel Using PKI

Most steps in setting up a site-to-site tunnel using PKI are identical to those discussed in the previous section. The following steps are used to retrieve the certificates from a CA server:

Step 1.

Generate the RSA keys.

If Cisco ASA does not have RSA keys generated, or if you want to create new keys, choose Configuration > Features > Device Administration > Certificate > Key Pair and click Add to create a new set of keys, as shown in Figure 21-12. ASDM prompts you to specify a label for the keys or to use the default RSA key name. Additionally, you can select the modulus size and the usage of the key. A modulus size of 1024 bits is selected in this example.

 

Figure 21-12. Generating the RSA Keys

 

Step 2.

Configure the trustpoint.

The next step after generating the RSA keys is to configure the PKI trustpoint. A trustpoint declares a CA server and creates a device identity based on the certificate issued by the CA. Choose Configuration > Features > Device Administration > Certificate > Trustpoint > Configuration to create a trustpoint. Click Add to define a trustpoint, called ChicagoPKI in the example, and go through the enrollment process, as shown in Figure 21-13. In the Key Pair field, the administrator is using the default RSA keys that were generated in Step 1. The enrollment mode is set to automatic, in which Cisco ASA submits a PKI request dynamically using the Simple Certificate Enrollment Protocol (SCEP). The enrollment URL guides Cisco ASA to submit the request at http://209.165.202.130/certsrv/mscep/mscep.dll.

 

Figure 21-13. Setting Up an Enrollment URL

 

Note

Each CA server vendor uses a different enrollment URL. Please consult the CA server documentation for the correct syntax.

You can optionally set the Fully Qualified Domain Name (FQDN) and Distinguished Name (DN) for the certificates. Click the Certificate Parameters button to specify the FQDN or DN or both, as shown in Figure 21-14, where a DN with an attribute of Common Name (CN) Chicago is being configured.

 

Figure 21-14. Specifying a DN

 

Step 3.

Set up CRLs.

A certificate revocation list (CRL) is a list of all the certificates that have been revoked by the CA server's administrator. Cisco ASA can use this list to validate a certificate received from the VPN peer. If the received certificate has already been revoked, Cisco ASA denies the IKE negotiation. Cisco ASA can either use the CRL distribution point (CDP) from the certificate or use the statically configured one. In Figure 21-15, Cisco ASA is relying on the CDP embedded in the certificate.

 

Figure 21-15. Specifying the CDP

Cisco ASA supports three protocols for retrieving the CRL from the CA servers:

 

- LDAP

- HTTP

- SCEP

Click the CRL Retrieval Method tab to select at least one of the protocols. In Figure 21-16, the administrator is using HTTP and SCEP as the CRL retrieval protocols.

 

Figure 21-16. Specifying the CRL Retrieval Protocols

The Advanced tab enables you to specify the CRL checking and caching timers. You can choose to require CRL checking for all the received certificates, as shown in Figure 21-17. In this example, the administrator has also enabled Enforce Next CRL Update, which requires having a valid and nonexpired next update value.

 

Figure 21-17. Setting Advanced Trustpoint Attributes

 

Step 4.

Authenticate and enroll in the CA server.

For a successful PKI implementation, Cisco ASA needs to receive both the root certificate and the identity certificate from the CA server. Choose Configuration > Features > Device Administration > Certificate > Authentication to request the root certificate. Click Authenticate after selecting the configured trustpoint to submit a request, as shown in Figure 21-18.

 

Figure 21-18. Requesting Root Certificate

To request an identity certificate, choose Configuration > Features > Device Administration > Certificate > Enrollment and click Enroll, as shown in Figure 21-19.

 

Figure 21-19. Requesting Identity Certificate

 

Note

It is recommended to verify the fingerprint of the received CA certificate with the fingerprint on the CA server to ensure that the CA certificate has not been compromised.

Step 5.

Select a certificate for the site-to-site tunnel.

Once the CA administrator approves the requested certificate, Cisco ASA loads it in flash and allows it to be used for the VPN connections. Using the site-to-site VPN Wizard, you can select an available certificate for IKE authentication in the Remote Site Peer window, as shown in Figure 21-20.

 

Figure 21-20. Selecting Certificates for VPN Tunnels

 

Категории