Announcement

Collapse
No announcement yet.

Setting up remote access VPN with certificates

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Setting up remote access VPN with certificates

    Hi to all,

    I recently started to get around with ASA 5505. For testing purposes, I created a remote access VPN, with pre-shared tunnel key, and NT authentication for users, and it all works. On user side I am using Cisco VPN client, and everything is fine.

    My question is how to enable certificates for tunnel authentication? Machine is on domain, and I have access to Microsoft Active Directory Certificate Services. Is it possible to allow users to be authenticated with their client certificates on their machines? I am quite a newbie in this one (certificates and etc), so some help will be more than appreciated.

    Also, how can I monitor and view logs about VPN connection, I checked Monitoring - > VPN tab, but are there any other logs?

    Thanks in advance, and sorry for posting these newbie questions

  • #2
    Re: Setting up remote access VPN with certificates

    Will this help?
    http://www.cisco.com/en/US/products/...80930f21.shtml
    Marcel
    Technical Consultant
    Netherlands
    http://www.phetios.com
    http://blog.nessus.nl

    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
    "No matter how secure, there is always the human factor."

    "Enjoy life today, tomorrow may never come."
    "If you're going through hell, keep going. ~Winston Churchill"

    Comment


    • #3
      Re: Setting up remote access VPN with certificates

      I suppose that's it, when I try it out, I'll let you know.

      thanksa lot!

      Comment


      • #4
        Re: Setting up remote access VPN with certificates

        HI
        The link below explains how it works when you setting up VPN with certificates.(Related to the Setting up remote access VPN with certificates)



        http://www.tacteam.net/isaserverorg/...nclienteap.htm

        Comment


        • #5
          Re: Setting up remote access VPN with certificates

          But that is microsoft related and not cisco related
          Marcel
          Technical Consultant
          Netherlands
          http://www.phetios.com
          http://blog.nessus.nl

          MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
          "No matter how secure, there is always the human factor."

          "Enjoy life today, tomorrow may never come."
          "If you're going through hell, keep going. ~Winston Churchill"

          Comment


          • #6
            Re: Setting up remote access VPN with certificates

            I followed this guide http://www.cisco.com/en/US/products/...8092d8f1.shtml and everything went ok in the configuration process, but when I try to connect with a client, I get following error: Invalid SPI size.

            Thing is that in step 4 it says that fqdns dont match (the one I entered in step 3 and of the device), but I'm sure they're right (hostname is ciscoasa, domain is internal.local)
            Last edited by Highl1; 27th October 2009, 15:28.

            Comment


            • #7
              Re: Setting up remote access VPN with certificates

              Have you seen this too?
              https://supportforums.cisco.com/docs...2F7230DD.node0
              Marcel
              Technical Consultant
              Netherlands
              http://www.phetios.com
              http://blog.nessus.nl

              MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
              "No matter how secure, there is always the human factor."

              "Enjoy life today, tomorrow may never come."
              "If you're going through hell, keep going. ~Winston Churchill"

              Comment


              • #8
                Re: Setting up remote access VPN with certificates

                Yep, I did. Thing is that at CA web page I don't have IPSEC template available. Also, both vpnuser and vpnserver are user accounts on the domain, so if the user logins to the http://ca/certsrv page, and asks for IPSec (offline) cert, he will get an user certificate, right? Maybe that's the problem for this setup

                Comment


                • #9
                  Re: Setting up remote access VPN with certificates

                  Microsoft CA I guess?
                  This might help:
                  http://support.microsoft.com/kb/555281
                  Marcel
                  Technical Consultant
                  Netherlands
                  http://www.phetios.com
                  http://blog.nessus.nl

                  MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
                  "No matter how secure, there is always the human factor."

                  "Enjoy life today, tomorrow may never come."
                  "If you're going through hell, keep going. ~Winston Churchill"

                  Comment


                  • #10
                    Re: Setting up remote access VPN with certificates

                    I used IPSec (offline) template, but it didn't work. In the end colleague generated certificates with openssl, I didn't get into details

                    My question is now, client is connected, how can I get him to see other site-to-site connections I have on ASA, and how to give him Internet? ASA's inside IP is 172.17.0.1, I have Microsoft DHCP giving addresses on .100 - .200 for regular users that are connecting in the office with Ethernet or WiFi, so I put ASA to give VPN clients addresses from pool .230-254.

                    Comment


                    • #11
                      Re: Setting up remote access VPN with certificates

                      I managed to do this, but I am curious how can I log the connection with VPN client on ASA? I tried to use together
                      terminal monitor
                      debug crypto ipsec
                      debug crypto isakmp
                      debug crypto vpnclient

                      But no luck even if I connect sucessfully to some tunnel, or I cannot connect at all

                      Any help?

                      Comment

                      Working...
                      X