Questions about using 3rd party certificates for IPSec VPN on ASA-5505

baskervi · ‎12-16-2010

I'm trying to get this straight in my head. I want to authenticate clients via certificates obtained through Verisign. Do I need a certificate for the ASA as well as the clients for encryption? If so, is it possible to use a self signed certificate for the ASA and use Verisign certificates for the clients? If so, do I have to configure two separate trustpoints? I recently attempted to use self-signed client certificates, but the ASA apparently doesn't work with these for IPSec tunnels, so I'm wondering if self-signed certificates will work for the ASA's certificate.

Thank you

Yudong Wu · ‎12-16-2010

It should work.

Here is what you need.

1. On ASA, you need import the certificate of Verisign's root CA and immediate CA.You need two trust points. One for self-sign CA and the other for Verisign.

2. On client, you need import ASA's self signed CA as a trusted root CA.

baskervi · ‎12-20-2010

I'm missing something, but here is the point I believe I'm at:

1) Both certificates from VeriSign have been imported into the ASA. Incidentally, these are both in the VPN clients and were imported when I installed the client's identity certificate.

2) Earlier (a few days ago) I was able to install the self-signed certificate within the ASA in the CA Certificates store, but I haven't been able to replicate this. I've created an identity certificate within the ASA that is assigned to a trustpoint, though. Is this adequate?

3) I've exported the self-signed identity certificate, but I'm unable to import it as I get "Error 39: Unable to import certificate." I've tried both PKCS12 and PEM formats.

I've attached the debugging information, and here's the relevant portion of the configuration:

ip local pool VPNPOOL 10.100.100.1-10.100.100.14 mask 255.255.255.0

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=mobilefirewall
proxy-ldc-issuer
crl configure
crypto ca trustpoint VeriSign_Trustpoint
enrollment terminal
crl configure
crypto ca trustpoint VeriSign_Trustpoint2
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint1
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint2
enrollment terminal
crl configure
crypto ca trustpoint ASDM_TrustPoint3
enrollment terminal
crl configure
crypto ca certificate chain ASDM_TrustPoint0          ! ASA self-signed certificate
certificate 8abd0f4d
    3082026e 308201d7 a0030201 0202048a bd0f4d30 0d06092a 864886f7 0d010104
...
    e804f40f e576658d e5225dc8 8e3e6eca e61d
quit
crypto ca certificate chain VeriSign_Trustpoint           ! VeriSign Class 1 Individual Subscriber CA - G3
certificate ca 008b5b75568454850b00cfaf3848ceb1a4
    3082041a 30820302 0211008b 5b755684 54850b00 cfaf3848 ceb1a430 0d06092a
...
    f3dc0fdf 0a87c4ef 8605d538 146099a3 4bde0696 712cf2db b61fa4ef 3fee
quit
crypto ca certificate chain VeriSign_Trustpoint2         ! VeriSign Class 1 Public Primary Certification Authority - G3
certificate ca 711566054ae491214de9bc44f9acd3dc
    308206ee 308205d6 a0030201 02021071 1566054a e491214d e9bc44f9 acd3dc30
...
    03e722a8 730bb1bc a0da5258 dd0a0e7f c182
quit
crypto isakmp enable outside
crypto isakmp policy 65535
authentication rsa-sig
encryption 3des
hash sha
group 5
lifetime 86400

group-policy defaultgroup internal
group-policy defaultgroup attributes
default-domain value priceedwards.com
username vpnuser password * encrypted
username vpnuser attributes
memberof DefaultRAGroup
tunnel-group DefaultRAGroup general-attributes
address-pool VPNPOOL
tunnel-group DefaultRAGroup ipsec-attributes
trust-point ASDM_TrustPoint0

I'd be very grateful for anyone who can point me in the right direction.

Yudong Wu · ‎12-20-2010

From the client log, you could see it did not understand ASA's certificate.

594 22:22:54.100 12/20/10 Sev=Info/4 CERT/0x6360000E
Discarding ROOT CA cert sent from peer.

595 22:22:54.100 12/20/10 Sev=Info/5 IKE/0x63000001
Peer supports DPD

596 22:22:54.100 12/20/10 Sev=Warning/3 IKE/0xE300007C
Failed to verify signature

597 22:22:54.100 12/20/10 Sev=Warning/2 IKE/0xE300009B
Failed to authenticate peer (Navigator:915)

You need import ASA cert as a trusted Root CA on PC.

1. crypto ca export identity-certificate

2. copy the output to a text file

-----BEGIN CERTIFICATE-----
certificate data here
-----END CERTIFICATE-----

3. Then you should be able to import it to PC.

baskervi · ‎12-21-2010

Thanks for your assistance. I was able to export and import the certificate, so now in the VPN client there is a mobilefirewall certificate in the CA store that is valid until 2020. Unfortunately I receive the same errors on the VPN client. One thing that puzzles me is that the client log windows shows "Discarding ROOT CA cert sent from peer." prior to showing "Failed to verify signature" and "Failed to authenticate peer." Why would the ASA be sending a root certificate?

This may also be a factor, but when I installed the identity certificate in the VPN client, two Verisign certificates were also installed. I wasn't able to export these from the client for installation on the ASA. I was, however, able to find one (VeriSign Class 1 Public Primary Certificate Autheotiry - G3" on VeriSign's website. I couldn't find the other (VeriSign Class 1 Individual Subscriber CA - G3) on VeriSign's web site, so I downloaded it from a web site called globaltrustpoint.com. Could this be part of the problem?