10-15-2012 12:26 PM - edited 02-21-2020 06:24 PM
We have an ASA5525 that we are attempting to use to create a VPN tunnel using certificates. For now the ASA will be the CA. It appears that we have successfully downloaded the cert to the client. Our network is fairly simple. ASA is at 10.0.0.1 on the outside and client at 10.0.0.3. The client connects through a switch to the outside of the VPN. This part works.
The requiement is for the client to authenicate using only a cert. From debugging, it appears that the cert checks out ok. When attempting to connect the client (AnyConnect V3.1) receives a pop up to choose a group, when the group is chosen, login is denied for unauthorized connection mechanism. We are trying to use IKEv2. Please note that we are using a beta release of code for the ASA. I have attached a log of our attempt, a "show run" and a "show version".
Thanks
Douglas
Solved! Go to Solution.
10-26-2012 12:24 PM
10-17-2012 06:10 AM
I have made some progress with this configuration. Added a rule to allow "any any" on the outside.
When I attempt with anyconnect without a profile (simply by IP) I connect using SSL:
ciscoasa# show vpn-sessiondb anyconnect
Session Type: AnyConnect
Username : bart Index : 2
Assigned IP : 192.168.30.5 Public IP : 10.0.0.4
Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License : AnyConnect Essentials
Encryption : RC4 AES128 Hashing : none SHA1 SHA1
Bytes Tx : 10710 Bytes Rx : 3761
Group Policy : AnyConnect-policy Tunnel Group : AnyConnect-group
Login Time : 12:46:17 UTC Wed Oct 17 2012
Duration : 0h:00m:09s
Inactivity : 0h:00m:00s
NAC Result : Unknown
VLAN Mapping : N/A VLAN : none
However we are unable to connect using IKEv2 (using our anyconnect client profile) we received the following:
%ASA-7-717030: Found a suitable trustpoint LOCAL-CA-SERVER to validate certificate.
%ASA-6-717022: Certificate was successfully validated. serial number: 04, subject name: cn=bart.
%ASA-6-717028: Certificate chain was successfully validated with warning, revocation status was not checked.
%ASA-3-751013: Local:10.0.0.1:4500 Remote:10.0.0.4:63175 Username:DefaultL2LGroup Failed to process Configuration Payload request
for attribute 0x1. Error: Platform errors
10-24-2012 09:06 AM
I guess nobody is working on this sort of thing.
10-24-2012 09:24 AM
Hi Douglas,
Please check this out:
ASA Anyconnect IKEv2 configuration example
From the logs, it looks like you are hitting the DefaultL2LGroup. Review the previous link and adjust your settings.
HTH.
Portu.
Please rate any helpful posts
10-24-2012 11:28 AM
Thank you for your prompt reply. I will set this up again in my lab right away and give it a very close examination.
10-24-2012 11:55 AM
Sounds good to me.
Thanks for heads up!
Please rate any helpful posts
10-26-2012 07:11 AM
I was working on another project and will be resuming on this one today. I am working on Suite B. so for the past week I tabled this one to work on an Aruba 650. Got it working.
The project will be a user using anyconnect to the ASA5525. Then the via Aruba client will launch and connect to the Aruba 650. So two VPN sessions both using Certs.
And now back to this one, I got the ASA loaded with the configuration that was used in the example above. Will review the documentation closely and report back. Again, thanks.
Douglas
10-26-2012 12:11 PM
Worked on this most of the day. Checked out the document from the link above. Worked mainly on making sure that the configuration matched line for line. I cannot say which of the changes made allowed the change in the device. Basically I killed the configuration. Copied the last known configuration from flash to start and reloaded. I then when through the document in the ASDM. I also loaded ASDM "asdm-70025.bin" instead of the previously used "asdm-66114.bin". I made a few changes in the ASDM which are hard to remember. And cleaned up the access lists. Basically did an "ip any any" and applied it globally. Don't need security setup since we just wanted to test the certs and the client.
Next step is a point to point tunnel using certs between the Cisco ASA and the Aruba 650.
Douglas
10-26-2012 12:24 PM
Douglas,
So it is working, right?
Portu.
10-26-2012 12:35 PM
Yes it is. ASA devices are not my strong suite. I am more of a switch and router person. Thanks for your assistance.
Douglas
10-26-2012 12:43 PM
Well my friend let me tell you that you just configured an advance deployment!
Thanks for sharing your results, please feel free to open a TAC case or a new post here if you experience any issues with LAN-to-LAN tunnel using certificates.
Portu.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide