VPN With Pre-Shared Keys - Page 3

By Cisco Press | Posted Oct 30, 2001
Page 3 of 6   |  Back to Page 1
Print ArticleEmail Article
  • Share on Facebook
  • Share on Twitter
  • Share on LinkedIn

Obtaining Certificate Authorities (CAs)
Retrieving certificate authorities (CAs) with the PIX Firewall uses almost exactly the same method as that used on routers. The following are the commands used to obtain a CA. Note that these commands might not show in a configuration. The administrator should avoid rebooting the PIX during this sequence. The steps are explained as they are shown.

First, define your identity and the IP address of the interface to be used for the CA. Also configure the timeout of retries used to gain the certificate and the number of retries.

 ca identity bigcompany.com 172.30.1.1
 ca configure bigcompany.com ca 2 100>
Generate the RSA key used for this certificate.
 ca generate rsa key 512
Then get the public key and certificate.
 ca authenticate bigcompany.com
Next, request the certificate, and finally, save the configuration.
 ca enroll bigcompany.com enrollpassword
 ca save all
At this point, you have saved your certificates to the flash memory and are able to use them. The configuration for using an existing CA is as follows:
 domain-name bigcompany.com
 isakmp enable outside
 isakmp policy 8 auth rsa-signature
 ca identity example.com 172.30.1.1
 ca generate rsa key 512
 access-list 60 permit ip 10.1.2.0 255.255.255.0
 crypto map chicagotraffic 20 ipsec-isakmp
 crypto map chicagotraffic 20 match address 60
 crypto map chicagotraffic 20 set transform-set strong
 crypto map chicagotraffic 20 set peer 172.30.1.2
 crypto map chicagotraffic interface outside
 sysopt connection permit-ipsec

Comment and Contribute
(Maximum characters: 1200). You have
characters left.
Get the Latest Scoop with Enterprise Networking Planet Newsletter