09-28-2013 06:16 PM
Team,
ASA version 9.1(3), ASDM 7.1(4) on 5505.
I've got a pair of Cisco ASA 5505's that I am trying to establish a tunnel. I make it all work with PSK. IKEv2 with AES256 IPSec. No issues...
However, I have been told that I can self-sign certificates and use those to authenticate each firewall to the other. I have been trying for hours.. Generating certs in all combinations and options and exporting the P12's into the other firewall, adding them in - No problems
I have self signed all the certs so there is no CA.
Then I go back into the connection profile and remove the PSK - flip over to RSA-SIG in the IKE Policy.
Does anyone have this working with the ASA version I am running and care to share your snippets of configuration especially how you created the keypair, self-signed it, exported and adding it in the adjacent firewall?
I don't want to use PSK for authentication.
Help!
Solved! Go to Solution.
09-29-2013 02:38 AM
I never used it that way without a CA so I can't guarantee that it will work, but one thing is often forgotten with digital certificates: Have you assigned the cert ID-Cert in the crypto-map?
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
09-29-2013 02:38 AM
I never used it that way without a CA so I can't guarantee that it will work, but one thing is often forgotten with digital certificates: Have you assigned the cert ID-Cert in the crypto-map?
--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni
09-29-2013 07:39 PM
Hi,
I believe I am - this is what I have done...
ASA #1
======
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs group5
crypto map outside_map 1 set peer aaa.bbb.ccc.ddd
crypto map outside_map 1 set ikev1 transform-set ESP-AES-256-SHA
crypto map outside_map 1 set ikev2 ipsec-proposal AES256
crypto map outside_map 1 set trustpoint ASDM_TrustPoint0
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=asa1.domain.com
keypair Site2SiteVPN
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment self
keypair ASDM_TrustPoint1
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint0
certificate 807d4
quit
crypto ca certificate chain ASDM_TrustPoint1
certificate 687d4
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 20
ASA #2
======
crypto map outside_map 1 match address outside_cryptomap
crypto map outside_map 1 set pfs group5
crypto map outside_map 1 set peer eee.fff.ggg.hhh
crypto map outside_map 1 set ikev1 transform-set ESP-AES-256-SHA
crypto map outside_map 1 set ikev2 ipsec-proposal AES256
crypto map outside_map 1 set trustpoint ASDM_TrustPoint0
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=asa2.domain.com
keypair Site2SiteVPN
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment self
keypair ASDM_TrustPoint1
crl configure
crypto ca trustpool policy
crypto ca certificate chain ASDM_TrustPoint0
certificate 687d4
quit
crypto ca certificate chain ASDM_TrustPoint1
certificate 807d4
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5
prf sha
lifetime seconds 86400
crypto ikev2 enable outside
crypto ikev1 enable outside
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
What I am pulling from the log file:
%ASA-3-717021: Certificate data could not be verified. Locate Reason:
reason_string serial number: serial number, subject name: subject name, key length
key length bits.
An attempt to verify the certificate that is identified by the serial number and subject name was unsuccessful for the specified reason. When verifying certificate data using the signature, several errors can occur that should be logged, including invalid key types and unsupported key size.
• reason_string—The reason that the certificate cannot be verified
• serial number—Serial number of the certificate that is being verified
• subject name—Subject name included in the certificate that is being verified
• key length—The number of bits in the key used to sign this certificate
10-02-2013 05:54 AM
Hello Everyone,
I opened a TAC with Cisco - Don't believe what you hear in the public domain - Cisco advises that you cannot use self-signed certificates to authenticate to. Nor can you use the built in CA to do it either.
A third party CA is all you can do.
This kind of makes sense because why is the reason you would go to certificates anyway? So that you can third party authenticate your peer and also if there is compromise of a peer, revoke its certificate so it becomes un-trusted.
Therefore - don't waste your time like I did because it doesn't work.
Have a nice day and happy computing!
Chris
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide