Can anyone help me out.
I got IPSEC VPN running on PSK, which i am changing to certificate based authentication with the firewall being a local CA.
I have created the RSA key, then the created the trustpoint and then enrolled the firewall to be the local CA below which gave me a CSR.
I now have the certificate. How to i import or copy and paste this and associate this to the current ipsec tunnel? Cisco's documentation which i can find is only for external CA.
Step's i have done on the Firewall.
crypto key generate rsa label FA62TESTLAB01 modulus 1024
crypto ca trustpoint FA62TESTLAB01
subject-name CN=FA62TESTLAB01.cisco.com L=US
crypto ca enroll FA62TESTLAB01
crypto ca enroll FA62TESTLAB01
% Start certificate enrollment ..
% The subject name in the certificate will be: CN=FA62TESTLAB01.cisco.com,OU=cis
% The fully-qualified domain name in the certificate will be: FA62TESTLAB01
% Include the device serial number in the subject name? [yes/no]: no
Display Certificate Request to terminal? [yes/no]: yes
Certificate Request follows:
-----BEGIN CERTIFICATE REQUEST-----
-----END CERTIFICATE REQUEST-----
I now have the certicate's which were generated off the back of the CSR, what is the next step for me to import the certificate and also attach it to the IPSEC VPN?
You are most of the way there.
You can install the new certificate following the procedure from Step 8 here.
Note if you have an HA pair, you will need to manually force a write to the standby unit. Reference.
Now that you have the certificate on your ASA(s), you can modify the IPsec VPN authentication method. Please refer to the guide here and start at Step 7. Since you already have a working VPN using PSK IKE peer authentication method, you need only change it to use the certificate method instead.
Sorry for the late reply, tested this today and still did not work.
fa44rgexvpn01/pri/act# Mar 13 14:07:09 [IKEv1]: Group = 220.127.116.11, IP = 18.104.22.168, Can't find a valid tunnel group, aborting...!
Mar 13 14:07:17 [IKEv1]: IP = 22.214.171.124, Header invalid, missing SA payload! (next payload = 4)
commands i added since 1st message:
crypto ca import FA62TESTLAB01 certificate
!--- output truncated
tunnel-group 126.96.36.199 type ipsec-l2l
tunnel-group 188.8.131.52 ipsec-attributes
ssl trust-point FA62TESTLAB01 outside
I tried adding the following
ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
Also changing the tunnel group attribute to default without any joy, got the same error message.
tunnel-group DefaultRAGroup ipsec-attributes
Finally added these – Still no joy.
tunnel-group-map enable ou
tunnel-group-map enable ike-id
tunnel-group-map enable peer-ip
Does anyone know why I am getting these message? Please help
you dont need all these SSL commands, as here we are doing an IPSec L2L tunnel, and the SSL commands you mentioned are used for SSLVPN, which are not related at all to what you need to achieve.
when you do the command "sh run crypto isakmp | inc identity", what do you get? identity address?
if yes, please change it to auto using the command "crypto isakmp identity auto".
you just need to have proper certificates on both sides that are trusted by the same CA server, and assign the trustpoint name under the tunnel-group ipsec attributes instead of the pre-shared-key command.
let us know how it goes.
This can be pretty hard setting up the first time. I am a novice and not an expert on the ASA. However I have managed to get an ASA in the lab working with the ASA as the CA and also using OpenSSL as the CA. Basics for both are pretty straight forward but more difficult in execution. I assume you are using "anyconnect"? Certificates can also be used for "point to point" tunnels using another ASA, other VPN devices, and even StrongSwan.
One Trust Point for the CA
One Trust Point is for the ASA signed by the CA
The CA Certifcate is needed on the client side
The Client needs a cert signed by the CA which can be done through a client web login or manually installed.
show crypto ca certificates
show crypto ca trustpoints
I have attached a working configuration for an Anyconnect Lab configuration from my ASA. It works, in fact I have a client connected now and can keep it going for weeks. We are using EC Certs, but RSA work as well. I used OpenSSL in this example. Never assume. Verify each portion of the connection. From ike to ipsec. I only use ikev2 (easier I think) and set my ike proposal and ipsec proposals manually. I install the trustpoints before I configure tunnels or VPN's. I think it is easier.
Please note my comments are those of a novice. But if I got it to work then you should as well.
Hi Othman & Douglas,
Thanks for your response, i tried this first without the SSL & tunnel-group-map commnd first and had the same error, then i added those two commands and still did not work.
I am running a Lan 2 Lan IPSec tunnel over the public internet on Cisco ASA 5510 Single mode. Works fine with pre-shared key, issue is with certificates. Below is output for the certificate.
I have not configured this command "crypto isakmp identity auto"
- I got 2 other IPSEC L2L VPN's running on PSK, crypto isakmp identity auto command wont effect the others?
FA62TESTLAB01/pri/act# show crypto ca certificates
Certificate Serial Number: 231bf4583228e9caea243b4163d08474
Certificate Usage: General Purpose
Public Key Type: RSA (2048 bits)
Signature Algorithm: SHA1 with RSA Encryption
CRL Distribution Points:
 ldap://crl.inov.mpn.net:389/cn=VI CA5,c=US,ou=MPN,o=MPN?certificateRevocationList
start date: 18:00:51 GMT Jan 3 2013
end date: 18:00:51 GMT Jan 3 2016
Associated Trustpoints: FA44BSEXVP01
FA62TESTLAB01/pri/act# show crypto ca trustpoints