Filter
Top Products
25-51
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 25 Configuring IKE and IPsec Policies
Understanding Public Key Infrastructure Policies
The Public Key Infrastructure page opens, displaying the currently selected CA server, if any, in the
Selected field.
Step 2 Select the PKI enrollment policy object that defines the desired CA server in the Available CA Servers
list. You can do the following to modify the listed objects:
• To add a new PKI enrollment object, click the Create (+) button. The Add PKI Enrollment dialog
box opens. For detailed information about the attributes of a PKI enrollment object, see PKI
Enrollment Dialog Box, page 25-54.
• To change the configuration of an existing object, select it and click the Edit (pencil) button.
Note If you are making a PKI enrollment request on an Easy VPN topology, you must configure each
remote component (spoke) with the name of the user group to which it connects. You specify
this information in the Organization Unit (OU) field in the Certificate Subject Name tab of the
PKI Enrollment dialog box. You do not need to configure the name of the user group on the hub
(Easy VPN server). For more information, see PKI Enrollment Dialog Box—Certificate Subject
Name Tab, page 25-61.
Defining Multiple IKEv1 CA Servers for Site-to-Site VPNs
You can select only one CA server when defining an IKEv1 Public Key Infrastructure (PKI) policy on a
site-to-site VPN. This creates a problem when the devices in the VPN enroll with different CA servers
when using IKEv1. For example, the spoke devices might enroll with a different CA server than the hub,
or the spokes in one part of the VPN might enroll with a different CA server than the spokes in another
part of the VPN.
Tip When using IKEv2, you can configure different CA servers for various devices by creating overrides for
the IKEv2 Authentication policy global settings rather than creating device-level overrides for PKI
enrollment policy objects. However, you can also use device-level overrides for IKEv2 as described in
this topic. For information on configuring CA servers for IKEv2, see Configuring IKEv2 Authentication
in Site-to-Site VPNs, page 25-62.
To define an IKEv1 PKI policy, you select a PKI enrollment object that specifies the CA server to which
the devices should enroll. Although by default the policy object refers globally to a single CA server,
you can use device-level overrides to have the object refer to a different CA server on selected devices.
For example, if PKI enrollment object PKI_1 refers to a CA server named CA_1, you can create a
device-level override for selected devices that has PKI_1 refer to a different CA server, for example,
CA_2. Theoretically, you can use overrides to define a different CA server for each device in the VPN.
This procedure describes the basic steps for creating overrides for PKI enrollment objects.
Note You can also use device-level overrides when the CA servers are arranged in a PKI hierarchy beneath a
common, trusted CA server. To do this, you must ensure that both the global definition of the object and
the device-level override specify the trusted CA server in the Trusted CA Hierarchy tab of the PKI
Enrollment dialog box. See PKI Enrollment Dialog Box—Trusted CA Hierarchy Tab, page 25-62.