Hello James
Thanks for sharing your solution, it’s so helpful, and it’s what makes this forum such a great place for learning networking…
Thanks again!
Laz
Hello, Will s-to-s work between ASAs with self-signed certificates?
Hello Anastasiys
Cisco’s official advice on this issue is to never use self-signed certificates to authenticate. This kind of defeats the purpose of the security that the whole CA and certificates infrastructure delivers.
It is possible to apply self-signed certificates on a site-to-site VPN configuration on Cisco IOS devices, however, I’m not so sure about ASAs. You can do it for ANyconnect connections, but for site to site using ASAs, some users seem to indicate that it cannot be done.
If you want to implement a site-to-site VPN without a CA, your best bet is to simply use IKEv2 IPSEC.
I hope this has been helpful!
Laz
1 Like
Hello,
This configuration worked great when I was using software version 9.14 but when I upgraded to 9.16 everything stop.
Hello Gary
According to this Cisco command line reference for the ASA, it states the following:
For SSH, existing smaller keys can continue to be used after upgrading to 9.16, but we recommend that you upgrade to a larger size, or to a higher security key type. For other features, these RSA keys cannot be used in 9.16 and later. You can use the crypto ca permit-weak-crypto command to allow use of existing smaller keys, but even with this command, you cannot generate new smaller RSA keys.
Due to the smaller size of keys used in versions prior to 9.16, your upgrade to 9.16 has rendered them unusable. You will have to recreate those keys in order to get it to work. Alternatively, you can use the crypto ca permit-weak-crypto command as suggested above, but it is not recommended.
I hope this has been helpful!
Laz
Hi Rene, Please help provide the steps on how to configure IPSec static virtual tunnel interface with Digital Certificates, where CSR needs to be generated and signed by a CA Server.
Hello Kenneth
Take a look at this lesson which involves much of what you have asked for in your post:
If there is something more specific that you would like to take a look at let us know so we can direct you appropriately.
I hope this has been helpful!
Laz
Hi, any example for Cisco IOS instead?
Hello Kenneth
We don’t have a lesson for IPsec with digital certificates using a CA server and an IOS router, however, you may find something similar in some of the following links:
https://www.cisco.com/c/en/us/td/docs/security/vpn_modules/6342/vpn_cg/6342site3.html
If you would like Rene to create a specific lesson with particular parameters, you can always go to the Member Ideas page below and share your suggestion there. You may find that others have made similar suggestions, and you can add your voice to theirs.
I hope this has been helpful!
Laz