Thanks for your explanation. But does that means that trustpoint defination in tunnel group is optional for intiating tunnel? If I have only one trust point configured in ASA for only one type connection i.e. L2L then can ASA initiate vpn tunnle without trust point in tuneel group?
Regards, D.M.Gore On Mon, Sep 7, 2009 at 10:52 PM, Shawn H. Mesiatowsky < [email protected]> wrote: > I believe using the trustpoint command in the crypto map statement is > used for selecting a certificate to send if you have multiple trustpoints. > Eg. > > > > You have an L2L for company use, and an l2l for business to business for > extranet partners. You want to use your internal CA for company use and a > third party external ca for B2B. You would define 2 crypto maps. One for > internal L2L, and one for B2B L2L. You would create two trustpoints as well. > One for Internal ca and one for external ca. then you define which > trustpoint to use with which crypto map. That is my interpretation for this > command. > > > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Kingsley Charles > *Sent:* Monday, September 07, 2009 1:55 AM > *To:* Dnyaneshwar Gore > *Cc:* [email protected] > *Subject:* Re: [OSL | CCIE_Security] VPN in ASA Ver8.0, Tunnel group > > > > Hi D.M.Gore > > > > Yes, even I noticed it. This commands makes the certificate available in > IKE. As per the syntax, this is valid only when the connection is initiated. > I think, > > if LAN to LAN IPSec should respond (bi-directional connection) then we > should use trustpoint in the tunnel group. > > > > Let's wait for other's input. > > > > asa(config)# crypto map mine 2 set ? > > configure mode commands/options: > connection-type Specify connection-type for site-site connection > based > on this entry > inheritance Specify inheritance(data or acl rule) to be used > while > initiating a connection based on this entry > nat-t-disable Disable nat-t negotiation for connections based on > this > entry > peer Set IP address of peer > pfs Specify pfs settings > phase1-mode Specify mode(main or aggressive) to be used while > initiating a connection based on this entry > reverse-route Enable reverse route injection for connections > based on > this entry > security-association Security association duration > transform-set Specify list of transform sets in priority order > trustpoint Specify trustpoint that defines the certificate to > be > used while initiating a connection based on this > entry > > > > > > asa(config)# tunnel-group mine ipsec-attributes > asa(config-tunnel-ipsec)# ? > > tunnel-group configuration commands: > chain Enable sending certificate chain > exit Exit from tunnel-group IPSec attribute configuration > mode > help Help for tunnel group configuration commands > isakmp Configure ISAKMP policy > no Remove an attribute value pair > peer-id-validate Validate identity of the peer using the peer's > certificate > pre-shared-key Associate a pre-shared key with the connection policy > trust-point Select the trustpoint that identifies the cert to > besent to > the IKE peer > > > > > On Mon, Sep 7, 2009 at 8:32 AM, Dnyaneshwar Gore <[email protected]> > wrote: > > Hi All, > > > > In Lan to Lan IPsec type, Is tunnel group unidirectional only for incoming > traffic? > > > > I am asking this quetsion because in case of certificate based > authentication, follwoing command is used to initiate tunnel from ASA side > > "crypto map VPN 10 set trustpoint *remote peer ID"* > > > > > > > > Regards, > > D.M.Gore > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
