Hi Tyson I am not getting your 2nd point. Can you please explain why should we configure the trustpoint in the crypto map.
I thought, the trust association to crypto map are for cases where tunnel initiates from it's end. For example, dynamic site to site connection where IPSec can be initiated from only one end. Please check the following link, the l2l IPsec doesn't have trustpoint confgured with the crypto map. http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080aa5be1.shtml But as per the command reference, crypto map trustpoint for the initiating side and tunnel group trustpoint is for the responder. http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/c5.html#wp2231307 With regards Kings On Tue, Sep 8, 2009 at 10:07 AM, Tyson Scott <[email protected]> wrote: > In the tunnel group it is the trustpoint that it will accept to confirm > the Certificate of the peer. The crypto map is for the trustpoint it will > use to create the hash with the peer for itself. Both should be configured. > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S and Security > > Technical Instructor - IPexpert, Inc. > > > Telephone: +1.810.326.1444 > Cell: +1.248.504.7309 > Fax: +1.810.454.0130 > Mailto: [email protected] > > > > Join our free online support and peer group communities: > http://www.IPexpert.com/communities <http://www.ipexpert.com/communities> > > > > IPexpert - The Global Leader in Self-Study, Classroom-Based, Video On > Demand and Audio Certification Training Tools for the Cisco CCIE R&S Lab, > CCIE Security Lab, CCIE Service Provider Lab , CCIE Voice Lab and CCIE > Storage Lab Certifications. > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Dnyaneshwar Gore > *Sent:* Monday, September 07, 2009 11:24 PM > *To:* Shawn H. Mesiatowsky > > *Cc:* [email protected] > *Subject:* Re: [OSL | CCIE_Security] VPN in ASA Ver8.0, Tunnel group > > > > Thanks for your explanation. > > But does that means that trustpoint defination in tunnel group is optional > for intiating tunnel? If I have only one trust point configured in ASA for > only one type connection i.e. L2L then can ASA initiate vpn tunnle without > trust point in tuneel group? > > > > Regards, > > D.M.Gore > > On Mon, Sep 7, 2009 at 10:52 PM, Shawn H. Mesiatowsky < > [email protected]> wrote: > > I believe using the trustpoint command in the crypto map statement is used > for selecting a certificate to send if you have multiple trustpoints. Eg. > > > > You have an L2L for company use, and an l2l for business to business for > extranet partners. You want to use your internal CA for company use and a > third party external ca for B2B. You would define 2 crypto maps. One for > internal L2L, and one for B2B L2L. You would create two trustpoints as well. > One for Internal ca and one for external ca. then you define which > trustpoint to use with which crypto map. That is my interpretation for this > command. > > > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Kingsley Charles > *Sent:* Monday, September 07, 2009 1:55 AM > *To:* Dnyaneshwar Gore > *Cc:* [email protected] > *Subject:* Re: [OSL | CCIE_Security] VPN in ASA Ver8.0, Tunnel group > > > > Hi D.M.Gore > > > > Yes, even I noticed it. This commands makes the certificate available in > IKE. As per the syntax, this is valid only when the connection is initiated. > I think, > > if LAN to LAN IPSec should respond (bi-directional connection) then we > should use trustpoint in the tunnel group. > > > > Let's wait for other's input. > > > > asa(config)# crypto map mine 2 set ? > > configure mode commands/options: > connection-type Specify connection-type for site-site connection > based > on this entry > inheritance Specify inheritance(data or acl rule) to be used > while > initiating a connection based on this entry > nat-t-disable Disable nat-t negotiation for connections based on > this > entry > peer Set IP address of peer > pfs Specify pfs settings > phase1-mode Specify mode(main or aggressive) to be used while > initiating a connection based on this entry > reverse-route Enable reverse route injection for connections > based on > this entry > security-association Security association duration > transform-set Specify list of transform sets in priority order > trustpoint Specify trustpoint that defines the certificate to > be > used while initiating a connection based on this > entry > > > > > > asa(config)# tunnel-group mine ipsec-attributes > asa(config-tunnel-ipsec)# ? > > tunnel-group configuration commands: > chain Enable sending certificate chain > exit Exit from tunnel-group IPSec attribute configuration > mode > help Help for tunnel group configuration commands > isakmp Configure ISAKMP policy > no Remove an attribute value pair > peer-id-validate Validate identity of the peer using the peer's > certificate > pre-shared-key Associate a pre-shared key with the connection policy > trust-point Select the trustpoint that identifies the cert to > besent to > the IKE peer > > > > > On Mon, Sep 7, 2009 at 8:32 AM, Dnyaneshwar Gore <[email protected]> > wrote: > > Hi All, > > > > In Lan to Lan IPsec type, Is tunnel group unidirectional only for incoming > traffic? > > > > I am asking this quetsion because in case of certificate based > authentication, follwoing command is used to initiate tunnel from ASA side > > "crypto map VPN 10 set trustpoint *remote peer ID"* > > > > > > > > Regards, > > D.M.Gore > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
