Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2578
Views
0
Helpful
5
Replies

Remote Access Ipsec VPN with Certificate Authentication

avilah
Level 1
Level 1

‎12-10-2012 01:07 PM - edited ‎02-21-2020 06:32 PM

Hello All,

I am trying to setup a remote acces vpn using certificate authentication.  I pirchaesed a cert from Network solutions and was able to install it on my ASA 5520 with out a problem.  I need to know how to export that cert or manipulate it so that I can install it on my VPN clients.  The vpn works with a shared secrest but I can't get the cert from the ASA that I purchased from network solutions onto my clients.  Thank you.

Labels:
0 Helpful
5 Replies 5

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎12-11-2012 01:35 AM

You do not need the cert from ASA on the clients, what you need on the clients is to trust the issuer of ASA's certificate and (typically) enroll your clients with same CA.

M.

0 Helpful

avilah
Level 1
Level 1
In response to Marcin Latosiewicz

‎12-11-2012 03:42 AM

How is this done?  I'd imagine I would NOT have to purchase a CA for each client correct?  How do I enroll them using a thrid party like networksolutions?  Thank you.

H

0 Helpful

Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to avilah

‎12-11-2012 04:01 AM

IF you want to do mutual authentication both sides need to identify themselves with certificate.

In SSL the gateway/server can identify itself to the client, but doesn't require that client authenticates itself with certificate.

In IKEv2 we have the option to have EAP and certificate authentication (or certificate and certificate).

However IKEv2 is only supported with Anyconnect not with Legacy VPN client.

0 Helpful

avilah
Level 1
Level 1
In response to Marcin Latosiewicz

‎12-11-2012 06:15 AM

IF you want to do mutual authentication both sides need to identify themselves with certificate.

In SSL the gateway/server can identify itself to the client, but doesn't require that client authenticates itself with certificate.

Can you please point give me some guidance as to how the client identifies it self with the certificate?  Is there a howto guide avavilable?  In other words, what are the steps I need to take on the client.  As I said I am using a cert on the ASA from network solutions. 

Thank you!

H

0 Helpful

Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to avilah

‎12-11-2012 06:19 AM

For an actual in depth understanding how it's done it's best you head to TLS and IKEv2/IKEv1 RFCs, depending on what an how you want to do.

Implementaiton (once you know what you want to do) let me know I should be able to point you to some config examples.

M.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents