Force cisco IPsec VPN client to use ASA Cert

Mohamed Hamid · ‎06-25-2012

Hi Guys

Not sure if I have done this correctly but I have made the following change to my ASA 5520 using ASDM to try and force VPN clients to use a self assigned certificate from the ASA. I made the following changes

Remove Access VPN > Certificate Management > Identity Certificates > Add Certificate

Then I made the following change

Remote Access VPN > Network (Client) Access > IPSec(IKEv1) Connection Profiles > Connection Profile > Edit > IKE Peer Authentication > Pre Shared key and pointed the identity certificate to the one I created in the step above.

Having made this change I am still able to VPN without a certificate configured in authentication settings.

I was expecting that the VPN would attempt to issue the self assigned cert to client machine?

Am I on the right tracks or have I missed something?

Kind Regards

Mohamed Hamid · ‎06-25-2012

Just to add.. I have since tried to export the certificate created above in both .pem and .p12 and .cer files and then imported into the x509Anchors keychain on mac 10.7.3 however when I try and select certificate option in the Cisco IPSec VPN settings in network connections I keep getting the following message

No Machine certificates found

Certificate authentication cannot be used because your keychain does not contain any suitable certificates. Use Keychain Access to import the appropriate certificates into your keychain. If you do not have the certificates required for authentication, contact your network administrator

any help would be much appreciated