cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2147
Views
0
Helpful
5
Replies
Highlighted
Beginner

Remote Access Ipsec VPN with Certificate Authentication

Hello All,

I am trying to setup a remote acces vpn using certificate authentication.  I pirchaesed a cert from Network solutions and was able to install it on my ASA 5520 with out a problem.  I need to know how to export that cert or manipulate it so that I can install it on my VPN clients.  The vpn works with a shared secrest but I can't get the cert from the ASA that I purchased from network solutions onto my clients.  Thank you.

5 REPLIES 5
Highlighted
Cisco Employee

You do not need the cert from ASA on the clients, what you need on the clients is to trust the issuer of ASA's certificate and (typically) enroll your clients with same CA.

M.

Highlighted

How is this done?  I'd imagine I would NOT have to purchase a CA for each client correct?  How do I enroll them using a thrid party like networksolutions?  Thank you.

H

Highlighted

IF you want to do mutual authentication both sides need to identify themselves with certificate.

In SSL the gateway/server can identify itself to the client, but doesn't require that client authenticates itself with certificate.

In IKEv2 we have the option to have EAP and certificate authentication (or certificate and certificate).

However IKEv2 is only supported with Anyconnect not with Legacy VPN client.

Highlighted

IF you want to do mutual authentication both sides need to identify themselves with certificate.

In SSL the gateway/server can identify itself to the client, but doesn't require that client authenticates itself with certificate.

Can you please point give me some guidance as to how the client identifies it self with the certificate?  Is there a howto guide avavilable?  In other words, what are the steps I need to take on the client.  As I said I am using a cert on the ASA from network solutions. 

Thank you!

H

Highlighted

For an actual in depth understanding how it's done it's best you head to TLS and IKEv2/IKEv1 RFCs, depending on what an how you want to do.

Implementaiton (once you know what you want to do) let me know I should be able to point you to some config examples.

M.