Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1965
Views
4
Helpful
7
Replies

Anyconnect VPN via IPSec - Certificate issue

amir.glibic
Level 1
Level 1

‎01-27-2015 10:23 AM - edited ‎02-21-2020 08:02 PM

Hi,

 

I'm currently setting up a VPN-firewall and ran into problems with the certificates. I only want to enable IPSec connections via Anyconnect to the firewall. The client and the profile will be rolled out manually, so there is no need for anything web-based (portal, web-installer, SSL, etc.).

The VPN-firewall is reached through the normal outside-firewall (NAT) via FQDN (vpn.abc.com).

 

The normal setup is finished, but I have problems regarding the certificate. First I generated a CSR with "cn=fw001.abc.com", installed, bound to interface - but when I try to connect, I get the certificate error ("cert doesn't match server name" and "ca not trusted"). Then I tried a new CSR with "cn=vpn.abc.com", but it's still the same. Tomorrow I will try to get the CA-certificate to get rid of the "ca not trusted" message, but this one with the server name will still remain.

I mean, the connection works, but it's this popup-window with the certificate warning that bothers me.

 

I already had a similar configuration on another site, but there I had a wildcard certificate (*.xyz.com), which I installed as identity certificate and it worked properly.

 

Questions:

1.) Does anybody know what could be the issue here?

2.) Do I need a certificate on the outside firewall? 

 

Thanks in advance!

 

 

Labels:
0 Helpful
7 Replies 7

jj27
Spotlight
Spotlight

‎01-27-2015 03:44 PM

If you do not want the certificate warnings, you will need to purchase a 3rd-party trusted certificate from someone like GoDaddy.  You can create a CSR with the FQDN being the URL you want to use -- vpn.abc.com, then you will send the CSR to them, they will sign it and give you a certificate. You then install that certificate and the root/intermediate certs for the 3rd party provider.

Alternatively, if you are wanting to use your internal CA server for your domain or something of the sort, as long as that root CA is trusted on the PCs connecting you can go that route.

amir.glibic
Level 1
Level 1
In response to jj27

‎01-28-2015 01:05 PM

Thanks for the response.

First of all I need to state once again that I get 2 warnings:

1.) Certificate does not match the server name.
2.) Certificate is from an untrusted source.

 

 

I know the procedure regarding certificates, I generated a request and got the proper signed licence, but the issue is the "server name not matching"-message. I created the CSR with the CN=vpn.abc.com, and got it signed with this CN. In the connection profile, the tunnel destination is also set to the domain and not the IP:

"<HostAddress>vpn.abc.com</HostAddress>"

 

But nevertheless, I get the message that the certificate doesn't match the server name. 

I'm aware that the CA must be trusted on the PC, but this explains only the second message (untrusted) and not the mismatching name.

Like I said I also tried it with CN=hostname.abc.com and sent the CSR to the signing, but it was the same issue. What name must I use so that the first message isn't showing up? 

0 Helpful

jj27
Spotlight
Spotlight
In response to amir.glibic

‎01-28-2015 01:11 PM

Did you apply the signed certificate as the SSL certificate for the interface on the ASA?

What is the output of "show run ssl" and "show crypto ca trustpoint"

 

0 Helpful

amir.glibic
Level 1
Level 1
In response to jj27

‎01-28-2015 01:14 PM

Yes it's applied and the whole profile and policy was removed and created once again.

 

Regarding the outputs I can tell you tomorrow. 

0 Helpful

jj27
Spotlight
Spotlight
In response to amir.glibic

‎01-28-2015 01:15 PM

Sounds good. I wouldn't mind seeing a capture of the actual certificate if you browse to https://vpn.abc.com, then click on the padlock in the browser and view the certificate properties so you can see the CN on the cert, who signed it, etc.  It's really not that complicated so I'm sure we are missing something.

0 Helpful

amir.glibic
Level 1
Level 1
In response to jj27

‎01-28-2015 01:20 PM

You must be aware that SSL isn't active, so there is no interaction when you try to connect with the browser (timeout). 

 

It's only about the identity certificate when connecting via IKEv2-tunnel (Anyconnect).

0 Helpful

jj27
Spotlight
Spotlight
In response to amir.glibic

‎01-28-2015 01:28 PM

I apologize for my misunderstanding.

Make sure that your SSL and IKEv2 trustpoints are configured and the same.  IKEv2 will still download the profiles and updates over SSL but the tunnel will be IKEv2 once established.

 

ssl trust-point Signed_TP outside
crypto ikev2 enable outside client-services port 443
crypto ikev2 remote-access Signed_TP outside

 

0 Helpful
Customers Also Viewed These Support Documents