Solved: Ipsec cisco vpn client <==> Cisco ios router

michellp · ‎09-20-2011

Hi,

I need to implement ipsec vpn for about 10-15 users. They all use cisco vpn client 5.x and we have a cisco ios router in the office. We already have a working situation for these users. However it has become a need that only known devices (company laptops) are allowed to setup a vpn.

I figure the only way to accomplish this is to use certificates. But we don't won't to buy certificates if there's a free way to set this up. So my question is

1) What options do I have to setup ipsec vpn, where only known devices can succesfully setup a vpn and all other unknown devices are blocked?

2) If certificates is the only way. Can I somehow produce these certificates myself using cisco ios router?

3) anyone have a example of a similar setup/configuration?

Thanks in advance.

Regards,

M.

Jennifer Halim · ‎09-20-2011

Unfortunately if you connect to IOS router, there is no other way except using certificate. If you are connecting to a Cisco ASA firewall, then you can identify company laptop using DAP (Dynamic Access Policy).

View solution in original post

Jennifer Halim · ‎09-20-2011

1) Yes, you are on the right track. You can accomplish that with using certificate to authenticate the user.

2) Yes, you can configure the IOS router to be the CA server.

3) Here is the configuration guide for your reference:

http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_cfg_mng_cert_serv_ps10592_TSD_Products_Configuration_Guide_Chapter.html

Hope this helps.

michellp · ‎09-20-2011

Thanks a lot Jennifer. I will have a look at this now.

Can I conclude that there is no other way of doing this other than using certificates?

Jennifer Halim · ‎09-20-2011

Unfortunately if you connect to IOS router, there is no other way except using certificate. If you are connecting to a Cisco ASA firewall, then you can identify company laptop using DAP (Dynamic Access Policy).