Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2636
Views
0
Helpful
4
Replies

Anyconnect and cisco vpn clients using the same certificate

Go to solution
john.wright
Level 3
Level 3

‎11-30-2012 05:19 AM - edited ‎02-21-2020 06:31 PM

Can anyconnect clients and cisco vpn ikev1-2 clients use the same certificate on an ASA?

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎12-02-2012 11:57 PM

John.

The certificate is identifying a user/machine rather than protocol, so yes in general "yes" you can use same certificate for SSL/IKEv1/IKEv2 connections.

What you need to take care of is that said certificate is fulliling requirements of the said protocol, for example IKEv2 implmentations will "require" that particular KU are set and client-auth/server-auth EKU are set on certificates.

M.

View solution in original post

0 Helpful

Go to solution
ppejjorgensen
Level 1
Level 1

‎12-07-2012 04:52 AM

Yes - this is possible. I'm doing this with AnyConnect 3.1, two ASA 5520 with VPN cluster, always on and CAP.

You can do this by using one certificate with the correct information  (OID) in the extended key usage field (EKU) - like this:

  • X509v3 Extended Key Usage:

               TLS Web Server Authentication, TLS Web Client Authentication, IPSec Tunnel

This supports both SSL (TLS Server & Client Authentication) and IPSec (IPSec Tunnel). Remember to configure your ASA to use the same trustpoint for both SSL and IKEv2 - like below:

  • crypto ikev2 remote-access trustpoint
  • ssl trust-point
  • ssl trust-point OUTSIDE

You can also do it by using two separate certificates - one for SSL and one for IKE - and then put the necessary information in the EKU field and point at the correct trustpoint for each service. I think this is only supported in newer versions of AnyConnect (3.1)

/Peter

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎12-02-2012 11:57 PM

John.

The certificate is identifying a user/machine rather than protocol, so yes in general "yes" you can use same certificate for SSL/IKEv1/IKEv2 connections.

What you need to take care of is that said certificate is fulliling requirements of the said protocol, for example IKEv2 implmentations will "require" that particular KU are set and client-auth/server-auth EKU are set on certificates.

M.

0 Helpful

Go to solution
stownsend
Level 2
Level 2
In response to Marcin Latosiewicz

‎04-04-2013 11:55 AM

I'm not sure where to set the KU and EKU for the certificate that the ASA is requesting.

0 Helpful

Go to solution
ppejjorgensen
Level 1
Level 1

‎12-07-2012 04:52 AM

Yes - this is possible. I'm doing this with AnyConnect 3.1, two ASA 5520 with VPN cluster, always on and CAP.

You can do this by using one certificate with the correct information  (OID) in the extended key usage field (EKU) - like this:

  • X509v3 Extended Key Usage:

               TLS Web Server Authentication, TLS Web Client Authentication, IPSec Tunnel

This supports both SSL (TLS Server & Client Authentication) and IPSec (IPSec Tunnel). Remember to configure your ASA to use the same trustpoint for both SSL and IKEv2 - like below:

  • crypto ikev2 remote-access trustpoint
  • ssl trust-point
  • ssl trust-point OUTSIDE

You can also do it by using two separate certificates - one for SSL and one for IKE - and then put the necessary information in the EKU field and point at the correct trustpoint for each service. I think this is only supported in newer versions of AnyConnect (3.1)

/Peter

0 Helpful

Go to solution
john.wright
Level 3
Level 3
In response to ppejjorgensen

‎12-11-2012 06:32 AM

Thanks for the responses.

I did use the same certificate and anyconnect works just fine with the cisco vpn.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents