I believe using the trustpoint command in the crypto map statement is used for selecting a certificate to send if you have multiple trustpoints. Eg.
You have an L2L for company use, and an l2l for business to business for extranet partners. You want to use your internal CA for company use and a third party external ca for B2B. You would define 2 crypto maps. One for internal L2L, and one for B2B L2L. You would create two trustpoints as well. One for Internal ca and one for external ca. then you define which trustpoint to use with which crypto map. That is my interpretation for this command. From: [email protected] [mailto:[email protected]] On Behalf Of Kingsley Charles Sent: Monday, September 07, 2009 1:55 AM To: Dnyaneshwar Gore Cc: [email protected] Subject: Re: [OSL | CCIE_Security] VPN in ASA Ver8.0, Tunnel group Hi D.M.Gore Yes, even I noticed it. This commands makes the certificate available in IKE. As per the syntax, this is valid only when the connection is initiated. I think, if LAN to LAN IPSec should respond (bi-directional connection) then we should use trustpoint in the tunnel group. Let's wait for other's input. asa(config)# crypto map mine 2 set ? configure mode commands/options: connection-type Specify connection-type for site-site connection based on this entry inheritance Specify inheritance(data or acl rule) to be used while initiating a connection based on this entry nat-t-disable Disable nat-t negotiation for connections based on this entry peer Set IP address of peer pfs Specify pfs settings phase1-mode Specify mode(main or aggressive) to be used while initiating a connection based on this entry reverse-route Enable reverse route injection for connections based on this entry security-association Security association duration transform-set Specify list of transform sets in priority order trustpoint Specify trustpoint that defines the certificate to be used while initiating a connection based on this entry asa(config)# tunnel-group mine ipsec-attributes asa(config-tunnel-ipsec)# ? tunnel-group configuration commands: chain Enable sending certificate chain exit Exit from tunnel-group IPSec attribute configuration mode help Help for tunnel group configuration commands isakmp Configure ISAKMP policy no Remove an attribute value pair peer-id-validate Validate identity of the peer using the peer's certificate pre-shared-key Associate a pre-shared key with the connection policy trust-point Select the trustpoint that identifies the cert to besent to the IKE peer On Mon, Sep 7, 2009 at 8:32 AM, Dnyaneshwar Gore <[email protected]> wrote: Hi All, In Lan to Lan IPsec type, Is tunnel group unidirectional only for incoming traffic? I am asking this quetsion because in case of certificate based authentication, follwoing command is used to initiate tunnel from ASA side "crypto map VPN 10 set trustpoint remote peer ID" Regards, D.M.Gore _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com <http://www.ipexpert.com/>
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
