cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1816
Views
0
Helpful
3
Replies

ASA5505 IPSEC only with Self-Signed certs

Jason Boston
Level 1
Level 1

Hello all,

I have limited Cisco training and have been tasked with a pilot project. We have scavenged the ASA from another department, but I have no access to support. It's running ASA v9.1 and ASDM 7.1 . If all goes well I'll be sent on training and we will be purchasing a nice 5520.

So I've scoured the internet for an easy guide to do as my tittle says, but am having major difficulties. I can find lots of support for SSL VPN with Self-signed or IPSEC VPN with externally signed certs but I can't get ASA self-signed IPSEC IKEv2 only with certificate authentication. Also, to make it even worse, I need to provide the user with the software, profile and certificate by hand. No web-access portal or download.

If you know where I can get good setup guide for this type of use please by all means save me here . If this isn't even possible I'm cool with that, just let me know.

Thanks fo any help you can provide

Jay

1 Accepted Solution

Accepted Solutions

If the ASA is using a certificate issued by a CA that is in the client's trusted root CA store, then the ASA identity certificate does not need to be imported by the client.

That's why it's generally recommend to go the route of using a well-know public CA as they are alreay included in most modern browsers and thus the client doesn't need to know how to import certificates etc.

If you are using a local CA that is not in the client's trusted root CA store to issue your ASA identity certificate or self-signing certificates on the ASA then you need to take additional steps at the client.

In the first case, you would import the root CA certificate in the trusted root CA store of the client. After that, any certificates it has issued (i.e the ASA's identity certificate) would automatically be trusted by the client.

In the second case, the ASA's identity certificate itself would have be installed on the client since it (the ASA) is essentially acting as it's own root CA. I usually install them in my client's Trusted Root CA store but I guess that's technically not required, as long as the client knows to trust that certificate.

View solution in original post

3 Replies 3

Marvin Rhoads
Hall of Fame
Hall of Fame

You can deploy a remote access VPN using IPsec (IKEv2) with self-signed certificates and pre-deployed AnyConnect client, profile and certificate.

I'd recommend you purchase the CCNP Security VPN certification guide and follow through the chapters in there - most of the bits necessary to support for your scenario on the ASA are covered there.

Once you have the ASA setup, the client software could be manually deployed using the ISO package and the ASA certificate and XML connection profile could also be deployed manually. The ASA certificate would need to be installed in the Trusted Root CA section of the user's desktop. Inherent in how it works however is update of the profile dynamically upon user connection.

Thank you Marvin,

I have sent the email request to my boss to order me the guide ASAP.

As for the self-signed, can you just clarify, the workstation would need the Root CA exported form the Local-CA-Server as well as the identity certificate for the ASA that is set to be the device's identity certificate?

If so, does the identity certificate get installed in the personal store, machine store or does it matter?

Thanks again,

Jay

If the ASA is using a certificate issued by a CA that is in the client's trusted root CA store, then the ASA identity certificate does not need to be imported by the client.

That's why it's generally recommend to go the route of using a well-know public CA as they are alreay included in most modern browsers and thus the client doesn't need to know how to import certificates etc.

If you are using a local CA that is not in the client's trusted root CA store to issue your ASA identity certificate or self-signing certificates on the ASA then you need to take additional steps at the client.

In the first case, you would import the root CA certificate in the trusted root CA store of the client. After that, any certificates it has issued (i.e the ASA's identity certificate) would automatically be trusted by the client.

In the second case, the ASA's identity certificate itself would have be installed on the client since it (the ASA) is essentially acting as it's own root CA. I usually install them in my client's Trusted Root CA store but I guess that's technically not required, as long as the client knows to trust that certificate.