Configure an IOS Router Site-to-Site VPN Using Digital Certificates
Configuration tasks

The configuration of a site-to-site VPN using digital certificates is similar to the configuration that is done when pre-shared keys are used for authentication. This section discusses the configuration tasks and steps in detail. The following tasks are used to configure a site-to-site VPN using digital certificates:

Task 1 Prepare for IKE and IPSec – To prepare for IPSec, determine the following detailed encryption policy:

  • Identify the hosts and networks to be protected
  • Determine IPSec peer details
  • Determine the IPSec features that are needed
  • Ensure that the existing access lists are compatible with IPSec

Task 2 Configure CA Support – To configure CA support, set the router hostname and domain name, generate the keys, declare a CA, authenticate and request network-own certificates.

Task 3 Configure IKE for IPSec – To configure IKE, enable IKE, create the IKE policies, and validate the configuration.

Task 4 Configure IPSec – To configure IPSec, define the transform sets, create crypto access lists, create crypto map entries, and apply crypto map sets to the interfaces.

Task 5 Test and verify IPSec – Use show, debug, and related commands to test and verify that IPSec encryption works, and to troubleshoot problems.