Using pre-shared keys works fine in small VPN environments such as the site-to-site configuration. Larger environments connecting several or even hundreds of VPN tunnels use certificate authorities to provide a more scalable solution than pre-shared keys. When using CAs, each PIX generates its own public and private key pair. The private key stays privately secured on the PIX, whereas the public key eventually is used to create a digital certificate that is utilized during IKE phase 1 to perform authentication. The certificates are validated against the CA before authentication can succeed. This alleviates the need to manually reconfigure all the systems when the keys change, as in the case when using pre-shared keys. The four basic steps needed to configure CAs are as follows :
Table 12.12 contains a general list of commands used in this process. Table 12.12. ca Commands
|