Cisco Systems CL-28826-01 Security Camera User Manual


  Open as PDF
of 2616
 
25-53
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 25 Configuring IKE and IPsec Policies
Understanding Public Key Infrastructure Policies
In Security Manager, CA servers are predefined as PKI enrollment objects that you can use in your PKI
policies. A PKI enrollment object contains the server information and enrollment parameters that are
required for creating enrollment requests for CA certificates.
For more information about Public Key Infrastructure policies, see Understanding Public Key
Infrastructure Policies, page 25-47.
This procedure describes how to specify the CA servers that will be used to create a Public Key
Infrastructure (PKI) policy in your remote access VPN.
Before You Begin
Keep the following in mind:
For important information about successfully configuring PKI, see Requirements for Successful
PKI Enrollment, page 25-48.
The IKE Proposal policy for IPsec remote access VPNs should use an IKE Proposal object that
requires certificate authorization when configuring IKEv1.
For remote access VPNs defined on an ASA or PIX 7.x+ device, be aware that the Public Key
Infrastructure policy is directly related to the following policies. Any trustpoints defined in these
policies must also be selected in the Public Key Infrastructure policy; they are not automatically
added to the policy. You might want to first configure these policies to determine which PKI
enrollment objects are required in your remote access VPNs.
Connection Profiles—When you create a IPsec connection profile for which CA trustpoints
should be used, you select the PKI enrollment object that identifies the trustpoint on the IPsec
tab.
SSL VPN Access—You can configure trustpoints for each interface and also a fallback
trustpoint.
Global Settings, IKEv2 Settings tab—For IKEv2 IPsec, you must specify a global trustpoint.
Related Topics
Deciding Which Authentication Method to Use, page 25-8
Filtering Items in Selectors, page 1-42
Step 1 Do one of the following:
(Device view) Select Remote Access VPN > Public Key Infrastructure from the Policy selector.
(Policy view) Select Remote Access VPN > Public Key Infrastructure from the Policy Type
selector. Select an existing policy or create a new one.
The Public Key Infrastructure page opens, displaying the currently available and selected CA servers
(PKI enrollment objects), if any.
Step 2 Select the PKI enrollment policy objects that define the desired CA servers in the Available CA Servers
list and click >> to move them to the Selected CA Servers list. You can remove undesired objects by
selecting them in the selected list and clicking <<.
For ASA and PIX 7.x+ devices, the list of selected PKI enrollment objects must include all objects that
are specified in the connection profiles defined for the remote access VPN. For more information on
connection profiles, see Configuring Connection Profiles (ASA, PIX 7.0+), page 30-6. Also, any
trustpoints configured for IKEv2 on the Global Settings policy must be included; see Configuring VPN
Global IKEv2 Settings, page 25-34.
You can do the following to modify the listed objects: