The configuration of a site-to-site VPN using digital certificates is
similar to the configuration that is done when pre-shared keys are used for
authentication. This section discusses the configuration tasks and steps in
detail. The following tasks are used to configure a site-to-site VPN using
digital certificates:
Task 1 Prepare for IKE and IPSec – To
prepare for IPSec, determine the following detailed encryption policy:
- Identify the hosts and networks to be protected
- Determine IPSec peer details
- Determine the IPSec features that are needed
- Ensure that the existing access lists are compatible with IPSec
Task 2 Configure CA Support – To configure CA support, set the
router hostname and domain name, generate the keys, declare a CA, authenticate
and request network-own certificates.
Task 3 Configure IKE for
IPSec – To configure IKE, enable IKE, create the IKE policies, and validate the
configuration.
Task 4 Configure IPSec – To configure IPSec, define
the transform sets, create crypto access lists, create crypto map entries, and
apply crypto map sets to the interfaces.
Task 5 Test and verify
IPSec – Use show, debug, and related
commands to test and verify that IPSec encryption works, and to troubleshoot
problems.