cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1800
Views
10
Helpful
8
Replies
Highlighted
Beginner

IPSec site to site VPN certificate error

Hi

I'm playing around with IPSec site to site VPN's using certificates.

I load the CA root certificate onto each ASA and then enroll manually for an Identity certificate.  I have a Win2008 CA and I use the Advanced Certificate request then IPSec (Offline request) template to generate my certificate from the ASA CSR.  The Identity certificate gets installed fine and I apply it to the tunnel group and crypto map.  

However, when the tunnel attempts to come up I get the following in debugs

[IKEv1]Group = 192.168.0.250, IP = 192.168.0.250, Certificate Validation Failed

and

check_key_usage: ExtendedKeyUsage OID = 1.3.6.1.5.5.8.2.2, NOT acceptable

I can get round this by doing

crypto ca trustpoint My-trust-point
 
 ignore-ipsec-keyusage

However, I would prefer not to have to do this.  Am I using the wrong certificate template to generate the certificate for the ASA and if so what one should I use ?

Thanks, Stephen.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Stephen,

Stephen,

Actually i just found the solution for this issue, take a look to this link:

https://supportforums.cisco.com/discussion/12193296/ipsec-certificates-validation-failure

Hope this info helps!!

Rate if helps you!! 

-JP-

View solution in original post

8 REPLIES 8
Highlighted
Cisco Employee

Hi StevieOliver_2,

Hi StevieOliver_2,

So as you are saying this is just a matter of use the right template, the template you should select when creating certificates for a S2S tunnel will be IPsec.

You can find the steps on the following link:

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/110221-asavpnclient-ca.html

Hope this info helps!!

Rate if helps you!! 

-JP-

Highlighted
Beginner

Thank you for the input JP. 

Thank you for the input JP. 

I'm using the IPSec (offline request) cert template which seems to be much the same as the IPSec one.  Am I wrong?  Is there a significant difference between these templates?

The reason I don't use the IPSec template is I can't seem to get it offered as a choice when I browse to my CA and submit an Advanced request.  Only the IPSec (Offline request) is available.  So I looked into that and it seemed to be an acceptable alternative.

From here

https://social.technet.microsoft.com/Forums/office/en-US/87454c69-1f4a-4474-bbbf-a6e7d120d3fd/what-for-are-ipsec-and-ipsec-request-offline-certificates-in-ca-certificate-templates-node?forum=winserversecurity

It says

IPSEC(offline Request) certificate template allows the certificate requester to provide the subject name information in the certificate request.

I didn't think that would cause the certificate to be rejected.

Thanks, Stephen.

Highlighted
Cisco Employee

Stephen,

Stephen,

Considering that will be kind of hard to identify what is wrong without taking a look to the certificate, if you can share the cert to check it out i can help you, if not i will recommend you to open a TAC case.

Hope this info helps!!

Rate if helps you!! 

-JP-

Highlighted
Cisco Employee

Stephen,

Stephen,

Actually i just found the solution for this issue, take a look to this link:

https://supportforums.cisco.com/discussion/12193296/ipsec-certificates-validation-failure

Hope this info helps!!

Rate if helps you!! 

-JP-

View solution in original post

Highlighted
Beginner

Thanks again JP.  

Thanks again JP.  

I did manage to copy the existing IPSec template and include IP security tunnel termination as a certificate purpose.  That looks promising as a solution.

However, I'm still having trouble getting the certificate template to be offered under the certsrv webpage which I'm trying to resolve.  Every suggestion I find on the internet fails to get the CA to offer the copied template.

Stephen.

Highlighted
Beginner

Actually I think I've just

Actually I think I've just managed to get the new template published and available in the certsrv webpage by using the Windows Server 2003 Enterprise option when duplicating the IPSec template.  I think I was using the Windows Server 2008 Enterprise option before which was the default.  That seems to have now allowed the template to be available via certsrv.  I've still to issue my ASA with a new cert and test but I'll try that and report back on how it goes.

Stephen.

Highlighted
Beginner

Success.

Success.

I created a copy of the IPSec certificate as a Win2003 certificate

In the Subject name tab choose Supply in request

In the Extensions tab Highlight Application Policies - Edit - Add and select IP Security tunnel termination. 

Now select that new certificate template to issue.

When I go to the certsrv webpage the template is there at last.

I then cenerated a CSR on the ASA and used this template to sign it.  I applied the signed certificate to the crypto map and tunnel group and I could bring the tunnel up without the ignore-ipsec-keyusage line under the CA trustpoint.

So thanks again for the assistance in pointing me in the right direction JP

Stephen.

Highlighted
Cisco Employee

Hi Stephen,

Hi Stephen,

Thx for sharing the steps to make this work from the Server site, i am glad everything works now.

 

Hope this info helps!!

Rate if helps you!! 

-JP-