Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
487
Views
0
Helpful
2
Replies

AnyConnect - RA - VPN

CISCO8006
Level 1
Level 1

‎12-12-2015 02:09 AM - edited ‎02-21-2020 08:35 PM

Hi folks!

I want to deploy AnyConnect without a PKI - I want to use self signed certificates

First i create an RSA keypair for the Certificate

crypto key generate rsa label RSA_IDENT noconfirm

Enroll the Self Signed Certificate I use for the CN the Outside - IF - IP-Address

crypto ca trustpoint Trust_Ident
revocation-check none
keypair RSA_IDENT
id-usage ssl-ipsec
no fqdn
subject-name CN=10.0.0.1
enrollment self

cypto ca enroll Trust_Ident noconfirm

Asign the Trustpoint to the Outside Interface for IPSEC and SSL

ssl trust-point Trust_Ident OUTSIDE
crypto ikev2 remote-access trustpoint Trust_Ident line 2

I also export the identity-certificate in PEM Format

crypto ca export Trust_Ident identity-certificate

On the WIN7 Client I import the exported PEM - File into the "Trusted Root Certificates" (via the mmc - Certificate Console)
I also imported the PEM - File in the JAVA - Secure Site Section

After that I can built a VPN Tunnel via the AnyConnect client without any certificate - Problem

I use the URL - when the user connect's the first time to get the AnyConnect Client installed.


There is my PROBLEM - The browser has an certificate Error that the URL - From the ASA is untrusted.
I also tried to import the PEM - File from the ASA into the certificates from the browser - with no success
When i tust the offered certificate and i add it to my browsers-trusted cerfificate it sure works but it is a different cert as the one i have from the PEM-File

Where can i find the Cert. on the ASA which is used for https: - Why is this a different as the one which I assigned for the OUTSIDE IF

How can i solve the problem with the browsers - cerfificate error when i use self signed Cert on the ASA?

THANKS!

Max

Labels:
0 Helpful
2 Replies 2

pdub206
Level 1
Level 1

‎12-12-2015 10:17 AM

I may be wrong but I believe the cert issued to the client is not the original one for security purposes.  If you were to give your self signed cert out to a client they could turn around and issue other certificates with it, causing a security incident.

It's like public/private key pairs.  You keep your private certificate and publish only public ones, which can be validated against the private.

Throwing packets since 2012
0 Helpful

CISCO8006
Level 1
Level 1
In response to pdub206

‎12-12-2015 10:38 AM

Hi Patrick

The cert from the ASA in the PEM - Format has only the public key in it. I "manually" give this public key on the client so there is no possibility that he get's a worng public key from the man in the middle. 

max

0 Helpful
Customers Also Viewed These Support Documents