So I'm coming into a company who wants to move away from their IPCop firewalls and replace them with Cisco ASA 5505's. Instead of ripping the entire network down and keeping it down for however many weeks it takes to set up each new ASA, I decided to replace the IPCop firewalls with ASA's in our remote facilities first and replace the hub IPCop box at a later date (maybe even never).
Each of these IPCop firewalls in our remote facilities is tunneled to a single hub IPCop box using certificates. In order to remain consistent, I want to use certificates to create the VPN tunnel from the new ASA to the hub IPCop box.
What I've done so far:
- Generated the RSA key pair on the ASA
- Added the hub IPCop box as a trustpoint on the ASA using manual enrollment
- Generated an enrollment request for the trustpoint
- Took that enrollment request to the IPCop box and created a connection with it
- Imported the identity certificate created by the IPCop box when I created the connection
- Authenticated the root certificate of the IPCop box in the ASA
- Ran through the VPN wizard to create the NAT exemptions and tunnel groups and such
By all indications, the VPN tunnel still isn't open. Is there a magical "flip the switch" step that I'm forgetting? Am I going about this all wrong?
