cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1418
Views
0
Helpful
4
Replies
Highlighted
Explorer

Anyconnect and cisco vpn clients using the same certificate

Can anyconnect clients and cisco vpn ikev1-2 clients use the same certificate on an ASA?

2 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Anyconnect and cisco vpn clients using the same certificate

John.

The certificate is identifying a user/machine rather than protocol, so yes in general "yes" you can use same certificate for SSL/IKEv1/IKEv2 connections.

What you need to take care of is that said certificate is fulliling requirements of the said protocol, for example IKEv2 implmentations will "require" that particular KU are set and client-auth/server-auth EKU are set on certificates.

M.

View solution in original post

Beginner

Anyconnect and cisco vpn clients using the same certificate

Yes - this is possible. I'm doing this with AnyConnect 3.1, two ASA 5520 with VPN cluster, always on and CAP.

You can do this by using one certificate with the correct information  (OID) in the extended key usage field (EKU) - like this:

  • X509v3 Extended Key Usage:

               TLS Web Server Authentication, TLS Web Client Authentication, IPSec Tunnel

This supports both SSL (TLS Server & Client Authentication) and IPSec (IPSec Tunnel). Remember to configure your ASA to use the same trustpoint for both SSL and IKEv2 - like below:

  • crypto ikev2 remote-access trustpoint
  • ssl trust-point
  • ssl trust-point OUTSIDE

You can also do it by using two separate certificates - one for SSL and one for IKE - and then put the necessary information in the EKU field and point at the correct trustpoint for each service. I think this is only supported in newer versions of AnyConnect (3.1)

/Peter

View solution in original post

4 REPLIES 4
Cisco Employee

Anyconnect and cisco vpn clients using the same certificate

John.

The certificate is identifying a user/machine rather than protocol, so yes in general "yes" you can use same certificate for SSL/IKEv1/IKEv2 connections.

What you need to take care of is that said certificate is fulliling requirements of the said protocol, for example IKEv2 implmentations will "require" that particular KU are set and client-auth/server-auth EKU are set on certificates.

M.

View solution in original post

Explorer

Anyconnect and cisco vpn clients using the same certificate

I'm not sure where to set the KU and EKU for the certificate that the ASA is requesting.

Beginner

Anyconnect and cisco vpn clients using the same certificate

Yes - this is possible. I'm doing this with AnyConnect 3.1, two ASA 5520 with VPN cluster, always on and CAP.

You can do this by using one certificate with the correct information  (OID) in the extended key usage field (EKU) - like this:

  • X509v3 Extended Key Usage:

               TLS Web Server Authentication, TLS Web Client Authentication, IPSec Tunnel

This supports both SSL (TLS Server & Client Authentication) and IPSec (IPSec Tunnel). Remember to configure your ASA to use the same trustpoint for both SSL and IKEv2 - like below:

  • crypto ikev2 remote-access trustpoint
  • ssl trust-point
  • ssl trust-point OUTSIDE

You can also do it by using two separate certificates - one for SSL and one for IKE - and then put the necessary information in the EKU field and point at the correct trustpoint for each service. I think this is only supported in newer versions of AnyConnect (3.1)

/Peter

View solution in original post

Explorer

Anyconnect and cisco vpn clients using the same certificate

Thanks for the responses.

I did use the same certificate and anyconnect works just fine with the cisco vpn.