We're Sorry, Full Content Access is for Members Only...

If you like to keep on reading, Become a Member Now! Here is Why:

  • Learn any CCNA, CCNP and CCIE R&S Topic. Explained As Simple As Possible.
  • [geot exclude_region="No Trial" ] Try for Just $1. The Best Dollar You've Ever Spent on Your Cisco Career![/geot]
  • Full Access to our 541 Lessons. More Lessons Added Every Week!
  • Content created by Rene Molenaar (CCIE #41726)

 

303 New Members signed up the last 30 days!

 
satisfaction-guaranteed

100% Satisfaction Guaranteed!
You may cancel your monthly membership at any time.
No Questions Asked!

Tags: , ,


Notable Replies

  1. Rene,
    Well done with this post, please post more article with this kind.
    Thank you

  2. Rene,
    Thanks for the presentation, great info as always...

    What would be the advantages of changing my current ASA VPN Pre-Shared Keys to Certificates?

    I am kind of new to certificates, so what would be the process for my customers who connect with PSK VPNs? Would they need to provide me certificate from a trusted CA for my ASA, and I would provide them a certificate as well?

    If i have a couple hundred VPNs, can i provide the same certificate to every customer, or is that not a best practice?

    Thanks again for all the great tutorials.

  3. Hi Brian,

    Security-wise, the public/private key of a certificate are typically longer than a pre-shared key.

    If you want to use certificates then both devices will have to trust the same root CA. You could use your own CA like I did with this example and sign two certificates. One for your firewall and one for the customer. Since both devices trust the CA, they will trust each other's certificate.

    This is the main advantage of using certificates. For example, let's say you have 100 customers that build a VPN to your main office's firewall. If you want to add an extra firewall that the customers could connect to then you have to configure 100 pre-shared keys for all 100 customers so connect to the second firewall. You could use the same pre-shared key everywhere but that means once the key is compromised, you have to replace it everywhere...not a good idea!

    When you use certificates, you only have to add a new certificate to the second firewall. Since the customers trust the CA, they will trust the certificate of the second firewall automatically.

    You could use the same certificate, it's even possible to use a "wildcard" certificate but that's not a good idea. It's the same as using the same pre-shared key everywhere. Once the key (or certificate) is compromised, you'll have to replace it. Replacing a key/certificate on 2 devices is no problem but for 100 devices it might be a pain :slight_smile:

    It might be helpful to see this in action. You can use my example to build a CA with OpenSSL and then use 2-3 firewalls to build a VPN that uses the certificates.

    Hope this helps!

    Rene

  4. HI my friend.

    I am not sure if CA must be always available to the peers even when they authenticate each other. At the moment CA is not available the vpn will failed? what happen if reload one of the peers? it was only available at the moment of enrolling and authenticating certificates, could you explain me please?

Continue the discussion forum.networklessons.com

Participants