Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2333
Views
0
Helpful
2
Replies

IPSec Certificates Validation Failure

paulcooke
Level 1
Level 1

‎05-02-2014 12:27 PM - edited ‎02-21-2020 07:37 PM

Hi

I am attempting to establish a site to site VPN with a partner using ASA5515-X v9.1.

 

We are using IKEv1 to be old school and we are using my organization Microsoft 2012 CA to sign the certs and establish Trust Points on both devices.

My device is failing to complete Phase 1 negotiations as the certificate validation of the peer device cert fails due to the extended usage keys generated when signing that certificate.

We have used the offline IPSec template built in MS Certificate Services to sign the certs which I have seen referenced in a number of Cisco documents on CCO for such purposes.

Can anyone please advise the correct Extended Key Usage OID's I need to pass validation bearing in mind I also want to use the same cert for Anyconnect IPSec IKEv2 connections as well. I can then update the template. To be clear I want to do full validation of the certs, I am aware of work arounds but need strict validation.

 

I have see the following elsewhere on the Web

 

clientAuth 1.3.6.1.5.5.7.3.2
ipsecEndSystem 1.3.6.1.5.5.7.3.5
ipsecTunnel 1.3.6.1.5.5.7.3.6
ipsecUser 1.3.6.1.5.5.7.3.7

ipsecIntermediate

 

Thanks Paul

 

 

Labels:
0 Helpful
2 Replies 2

paulcooke
Level 1
Level 1

‎05-05-2014 03:35 AM

So as no one responded I created a cert with as many of the Enhanced Key Usage OID's as I could and debugged crypto ca, ca messages, & ca transactions and found the following OID was acceptable (See blue text below taken from http://msdn.microsoft.com/en-us/library/windows/desktop/aa378132(v=vs.85).aspx ))

I have now copied the MS IPSec Offline template and edited this to include IP Security Tunnel Termination.  I have also either added (or just checked) the (Offline) IPsec template contained Server Authentication & IP Security Intermediate. I believe these are needed for ASDM and Anyconnect from a couple of Cisco documents not 100%

Using this template to sign my certificate I now have a certificate that passes strict key usage checking on my ASA5515-X and that I can use for ASDM SSL access, Lan 2 Lan IKEv1 IPSEC Tunnels and IKEv2 IPSec AnyConnect authentication. My CA was built on Windows Server 2012 

IPSEC_TUNNEL

(1.3.6.1.5.5.7.3.6)

The certificate can be used for singing IPSEC communication in tunnel mode

 

Hope this helps someone as it was not clear from any of the Cisco documentation I could find.

0 Helpful

paultribe
Level 1
Level 1
In response to paulcooke

‎05-30-2023 06:23 PM

BEST POST EVER MATE - I have been trying 3-4 days to get 2 FTDs to use RSA Sigs for a S2S VPN and your post fixed it, TOP MAN !!! Thanks so much, its been driving me mad.

0 Helpful
Customers Also Viewed These Support Documents