IKEv2 RSA-signature using a peer-group

Using RSA certificate in your VPN allows you to be creative in authenticating remote peer. If you have strict enforcement and need the remote peer to change certificate it's best and simple to use the same CN string in the new certificate and have the cert issued by the same rootCA.

Some time this not possible or the remote fw-admin have to change the issuer or the certificate CN. if you use a peer-group vrs a peer, you can easily add to your flexibility when changing the peer  issuer or CN-name

Take note that the diag vpn ike gateway will show you what group was used.

So if the remote-firewall changes issuer, you only need to identify the new rootCA and CN and add that to the peer-group. Now the remote-firewall can change to that new certificate without bothering you.

NSE ( network security expert) and Route/Switching Engineer

kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^

=(  @  @ )=

         o

        /  \