CISCO ASA IPSEC VPN with Certificates

nouraj jaman · ‎02-05-2013

Hi Guys,

Can anyone help me out.

I got IPSEC VPN running on PSK, which i am changing to certificate based authentication with the firewall being a local CA.

I have created the RSA key, then the created the trustpoint and then enrolled the firewall to be the local CA below which gave me a CSR.

I now have the certificate. How to i import or copy and paste this and associate this to the current ipsec tunnel? Cisco's documentation which i can find is only for external CA.

Step's i have done on the Firewall.

crypto key generate rsa label FA62TESTLAB01 modulus 1024

!

crypto ca trustpoint FA62TESTLAB01

subject-name CN=FA62TESTLAB01.cisco.com L=US

keypair FA62TESTLAB01

crypto ca enroll FA62TESTLAB01

enrollment terminal

exit

crypto ca enroll FA62TESTLAB01

% Start certificate enrollment ..

% The subject name in the certificate will be: CN=FA62TESTLAB01.cisco.com,OU=cis

% The fully-qualified domain name in the certificate will be: FA62TESTLAB01

% Include the device serial number in the subject name? [yes/no]: no

Display Certificate Request to terminal? [yes/no]: yes

Certificate Request follows:

-----BEGIN CERTIFICATE REQUEST-----

OUTPUT OMITTED

-----END CERTIFICATE REQUEST-----

I now have the certicate's which were generated off the back of the CSR, what is the next step for me to import the certificate and also attach it to the IPSEC VPN?

Thanks

Marvin Rhoads · ‎02-05-2013

You are most of the way there.

You can install the new certificate following the procedure from Step 8 here.

Note if you have an HA pair, you will need to manually force a write to the standby unit. Reference.

Now that you have the certificate on your ASA(s), you can modify the IPsec VPN authentication method. Please refer to the guide here and start at Step 7. Since you already have a working VPN using PSK IKE peer authentication method, you need only change it to use the certificate method instead.

nouraj jaman · ‎03-13-2013

Sorry for the late reply, tested this today and still did not work.

error message:

fa44rgexvpn01/pri/act# Mar 13 14:07:09 [IKEv1]: Group = 81.120.94.92, IP = 81.120.94.92, Can't find a valid tunnel group, aborting...!

Mar 13 14:07:17 [IKEv1]: IP = 81.120.94.92, Header invalid, missing SA payload! (next payload = 4)

commands i added since 1st message:

crypto ca import FA62TESTLAB01 certificate

WIID2DCCAsCgAwIBAgIKYb9wewAAAAAAJzANBgkqhkiG9w0BAQUFADAQMQ

!--- output truncated

wPevLEOl6TsMwng+izPQZG/f0+AnXukWHQiUPwrYw83jqNIxi5aDV/4atBbgiiBa

6duUocUGyQ+SgegCcmmEyMSd5UtbWAc4xOMMFw==

!

tunnel-group 83.122.94.90 type ipsec-l2l

tunnel-group 83.122.94.90 ipsec-attributes

trust-point FA62TESTLAB01

!

ssl trust-point FA62TESTLAB01 outside

I tried adding the following

ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1

Also changing the tunnel group attribute to default without any joy, got the same error message.

tunnel-group DefaultRAGroup ipsec-attributes

trust-point FA62TESTLAB01

Finally added these – Still no joy.

tunnel-group-map enable ou

tunnel-group-map enable ike-id

tunnel-group-map enable peer-ip

Does anyone know why I am getting these message? Please help

oamarneh · ‎03-14-2013

Hello Nouraj,

you dont need all these SSL commands, as here we are doing an IPSec L2L tunnel, and the SSL commands you mentioned are used for SSLVPN, which are not related at all to what you need to achieve.

when you do the command "sh run crypto isakmp | inc identity", what do you get? identity address?

if yes, please change it to auto using the command "crypto isakmp identity auto".

you just need to have proper certificates on both sides that are trusted by the same CA server, and assign the trustpoint name under the tunnel-group ipsec attributes instead of the pre-shared-key command.

let us know how it goes.

Regards,

Othman

oamarneh · ‎03-14-2013

also plz remove the tunnel-group-map commands you added along with the SSL commands

Douglas Holmes · ‎03-14-2013

This can be pretty hard setting up the first time. I am a novice and not an expert on the ASA. However I have managed to get an ASA in the lab working with the ASA as the CA and also using OpenSSL as the CA. Basics for both are pretty straight forward but more difficult in execution. I assume you are using "anyconnect"? Certificates can also be used for "point to point" tunnels using another ASA, other VPN devices, and even StrongSwan.

One Trust Point for the CA

One Trust Point is for the ASA signed by the CA

The CA Certifcate is needed on the client side

The Client needs a cert signed by the CA which can be done through a client web login or manually installed.

Handy commands

show crypto ca certificates

show crypto ca trustpoints

I have attached a working configuration for an Anyconnect Lab configuration from my ASA. It works, in fact I have a client connected now and can keep it going for weeks. We are using EC Certs, but RSA work as well. I used OpenSSL in this example. Never assume. Verify each portion of the connection. From ike to ipsec. I only use ikev2 (easier I think) and set my ike proposal and ipsec proposals manually. I install the trustpoints before I configure tunnels or VPN's. I think it is easier.

Please note my comments are those of a novice. But if I got it to work then you should as well.

nouraj jaman · ‎03-15-2013

Hi Othman & Douglas,

Thanks for your response, i tried this first without the SSL & tunnel-group-map commnd first and had the same error, then i added those two commands and still did not work.

I am running a Lan 2 Lan IPSec tunnel over the public internet on Cisco ASA 5510 Single mode. Works fine with pre-shared key, issue is with certificates. Below is output for the certificate.

I have not configured this command "crypto isakmp identity auto"

- I got 2 other IPSEC L2L VPN's running on PSK, crypto isakmp identity auto command wont effect the others?

Output below:

FA62TESTLAB01/pri/act# show crypto ca certificates

Certificate

Status: Available

Certificate Serial Number: 231bf4583228e9caea243b4163d08474

Certificate Usage: General Purpose

Public Key Type: RSA (2048 bits)

Signature Algorithm: SHA1 with RSA Encryption

Issuer Name:

cn=VI CA5

ou=MPN

o=MPN

c=US

Subject Name:

cn= FA62TESTLAB01.eu.mpn.net

ou=VE

o=VE

c=GB

CRL Distribution Points:

[1] ldap://crl.inov.mpn.net:389/cn=VI CA5,c=US,ou=MPN,o=MPN?certificateRevocationList

[2] http://crl.inov.mpn.net/VICA2.crl

Validity Date:

start date: 18:00:51 GMT Jan 3 2013

end date: 18:00:51 GMT Jan 3 2016

Associated Trustpoints: FA44BSEXVP01

FA62TESTLAB01/pri/act# show crypto ca trustpoints

Trustpoint FA62TESTLAB01:

Not authenticated.