02-05-2013 08:35 AM - edited 02-21-2020 06:41 PM
Hi Guys,
Can anyone help me out.
I got IPSEC VPN running on PSK, which i am changing to certificate based authentication with the firewall being a local CA.
I have created the RSA key, then the created the trustpoint and then enrolled the firewall to be the local CA below which gave me a CSR.
I now have the certificate. How to i import or copy and paste this and associate this to the current ipsec tunnel? Cisco's documentation which i can find is only for external CA.
Step's i have done on the Firewall.
crypto key generate rsa label FA62TESTLAB01 modulus 1024
!
crypto ca trustpoint FA62TESTLAB01
subject-name CN=FA62TESTLAB01.cisco.com L=US
keypair FA62TESTLAB01
crypto ca enroll FA62TESTLAB01
enrollment terminal
exit
crypto ca enroll FA62TESTLAB01
% Start certificate enrollment ..
% The subject name in the certificate will be: CN=FA62TESTLAB01.cisco.com,OU=cis
% The fully-qualified domain name in the certificate will be: FA62TESTLAB01
% Include the device serial number in the subject name? [yes/no]: no
Display Certificate Request to terminal? [yes/no]: yes
Certificate Request follows:
-----BEGIN CERTIFICATE REQUEST-----
OUTPUT OMITTED
-----END CERTIFICATE REQUEST-----
I now have the certicate's which were generated off the back of the CSR, what is the next step for me to import the certificate and also attach it to the IPSEC VPN?
Thanks
02-05-2013 09:09 AM
You are most of the way there.
You can install the new certificate following the procedure from Step 8 here.
Note if you have an HA pair, you will need to manually force a write to the standby unit. Reference.
Now that you have the certificate on your ASA(s), you can modify the IPsec VPN authentication method. Please refer to the guide here and start at Step 7. Since you already have a working VPN using PSK IKE peer authentication method, you need only change it to use the certificate method instead.
03-13-2013 07:08 PM
Sorry for the late reply, tested this today and still did not work.
error message:
fa44rgexvpn01/pri/act# Mar 13 14:07:09 [IKEv1]: Group = 81.120.94.92, IP = 81.120.94.92, Can't find a valid tunnel group, aborting...!
Mar 13 14:07:17 [IKEv1]: IP = 81.120.94.92, Header invalid, missing SA payload! (next payload = 4)
commands i added since 1st message:
crypto ca import FA62TESTLAB01 certificate
WIID2DCCAsCgAwIBAgIKYb9wewAAAAAAJzANBgkqhkiG9w0BAQUFADAQMQ
!--- output truncated
wPevLEOl6TsMwng+izPQZG/f0+AnXukWHQiUPwrYw83jqNIxi5aDV/4atBbgiiBa
6duUocUGyQ+SgegCcmmEyMSd5UtbWAc4xOMMFw==
!
tunnel-group 83.122.94.90 type ipsec-l2l
tunnel-group 83.122.94.90 ipsec-attributes
trust-point FA62TESTLAB01
!
ssl trust-point FA62TESTLAB01 outside
I tried adding the following
ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
Also changing the tunnel group attribute to default without any joy, got the same error message.
tunnel-group DefaultRAGroup ipsec-attributes
trust-point FA62TESTLAB01
Finally added these – Still no joy.
tunnel-group-map enable ou
tunnel-group-map enable ike-id
tunnel-group-map enable peer-ip
Does anyone know why I am getting these message? Please help
03-14-2013 03:00 AM
Hello Nouraj,
you dont need all these SSL commands, as here we are doing an IPSec L2L tunnel, and the SSL commands you mentioned are used for SSLVPN, which are not related at all to what you need to achieve.
when you do the command "sh run crypto isakmp | inc identity", what do you get? identity address?
if yes, please change it to auto using the command "crypto isakmp identity auto".
you just need to have proper certificates on both sides that are trusted by the same CA server, and assign the trustpoint name under the tunnel-group ipsec attributes instead of the pre-shared-key command.
let us know how it goes.
Regards,
Othman
03-14-2013 03:02 AM
also plz remove the tunnel-group-map commands you added along with the SSL commands
03-14-2013 12:00 PM
This can be pretty hard setting up the first time. I am a novice and not an expert on the ASA. However I have managed to get an ASA in the lab working with the ASA as the CA and also using OpenSSL as the CA. Basics for both are pretty straight forward but more difficult in execution. I assume you are using "anyconnect"? Certificates can also be used for "point to point" tunnels using another ASA, other VPN devices, and even StrongSwan.
One Trust Point for the CA
One Trust Point is for the ASA signed by the CA
The CA Certifcate is needed on the client side
The Client needs a cert signed by the CA which can be done through a client web login or manually installed.
Handy commands
show crypto ca certificates
show crypto ca trustpoints
I have attached a working configuration for an Anyconnect Lab configuration from my ASA. It works, in fact I have a client connected now and can keep it going for weeks. We are using EC Certs, but RSA work as well. I used OpenSSL in this example. Never assume. Verify each portion of the connection. From ike to ipsec. I only use ikev2 (easier I think) and set my ike proposal and ipsec proposals manually. I install the trustpoints before I configure tunnels or VPN's. I think it is easier.
Please note my comments are those of a novice. But if I got it to work then you should as well.
03-15-2013 07:47 PM
Hi Othman & Douglas,
Thanks for your response, i tried this first without the SSL & tunnel-group-map commnd first and had the same error, then i added those two commands and still did not work.
I am running a Lan 2 Lan IPSec tunnel over the public internet on Cisco ASA 5510 Single mode. Works fine with pre-shared key, issue is with certificates. Below is output for the certificate.
I have not configured this command "crypto isakmp identity auto"
- I got 2 other IPSEC L2L VPN's running on PSK, crypto isakmp identity auto command wont effect the others?
Output below:
FA62TESTLAB01/pri/act# show crypto ca certificates
Certificate
Status: Available
Certificate Serial Number: 231bf4583228e9caea243b4163d08474
Certificate Usage: General Purpose
Public Key Type: RSA (2048 bits)
Signature Algorithm: SHA1 with RSA Encryption
Issuer Name:
cn=VI CA5
ou=MPN
o=MPN
c=US
Subject Name:
cn= FA62TESTLAB01.eu.mpn.net
ou=VE
o=VE
c=GB
CRL Distribution Points:
[1] ldap://crl.inov.mpn.net:389/cn=VI CA5,c=US,ou=MPN,o=MPN?certificateRevocationList
[2] http://crl.inov.mpn.net/VICA2.crl
Validity Date:
start date: 18:00:51 GMT Jan 3 2013
end date: 18:00:51 GMT Jan 3 2016
Associated Trustpoints: FA44BSEXVP01
FA62TESTLAB01/pri/act# show crypto ca trustpoints
Trustpoint FA62TESTLAB01:
Not authenticated.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide