Create IPsec tunnel in CPPM with Certificates.
ClearPass supports creating IPsec tunnel using Pre-shared key as well as with PKI certificates to authenticate the remote peer. When we use choose to form IPsec tunnel with certificates, ClearPass uses HTTPS certificates installed on the server for authentication. To view the currently installed HTTPS server certificates on ClearPass nodes, navigate to Administration --> Certificates --> Server Certificates and Select the type as HTTPS certificate.
This article shows howto create IPsec tunnel between two ClearPass nodes using certificates as an authentication type.
To create IPsec tunnel using certificates, please follow the below steps:
1. Login to ClearPass Policy Manager as Super Administrator privilege.
2. Navigate to Administration --> Server Manager --> Server Configuration.
3. Click on the server hostname and goto Network tab and click 'Create IPsec tunnel'.
4. Specify the remote peer IP address and set the IKE version to 2. Set the authentication type to Certificate and click Save.
5. For the authentication with certificate to be successful, each node should trust the others issuing authority.
For the purpose of illustration, we have two Clearpass servers whose HTTPS certificates are signed by their respective Onboard CA as shown below.
CPPMV1 trust list:
CPPMv2 trust list:
To check the current status, click the icon under Action, which would show the status as below on both the nodes.