ā12-23-2016 09:18 AM - edited ā02-21-2020 09:06 PM
We're in the process of transitioning between VPN products.
The cert for our SSL VPN is expiring on Dec 30, and in order to renew it we would need to upgrade the IOS version on our VPN device (ASA 5510) - because our IOS version does not support SHA2 certificates for this purpose.
Since we're in the process of implementing a Meraki VPN which should be complete mid-January, we do not want to do that.
Obviously this is a bad practice, but we're hoping to determine how to force the Cisco AnyConnect Client for Mac to connect even if the certificate is expired, just until we get the new VPN running, due to our circumstances.
We've tested an older Windows client, which will allow us to connect with an expired certificate, but our Mac client, 3.1.03103 absolutely will not allow us to connect.
Self signed certificates may be a possibility, but if I recall correctly that requires deployment of the self signed cert to the trusted root store on all users' machines.
Any ideas how we can do this, or perhaps a method we're overlooking that will allow us to keep our VPN users going until the January 15th cutover?
Thanks in advance.
ā12-23-2016 03:09 PM
If you use the self-signed certificate option, users can still connect if they ignore the warning and click 'Connect Away'. Drawback is that they will get that error each time they connect and it is a hassle if you have to communicate this messaging to everyone if there are a lot of users.
I am not sure if this is an option, but some CA's allow to rekey the certificate for free . You could create a new sha1 cert and rekey the cert to use sha2 algorithm (hopefully for free) after you have upgraded the ASA version. This should ensure enough time for you to plan an upgrade without service interruption for vpn users. Best check with the CA support team if this is an option.
ā01-04-2017 08:00 AM
Thanks for the reply, Rahul. Unfortunately our CA will only generate SHA2s. What we've done is to switch our Mac users over to IPSec using a shared secret instead of a cert.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide