Remote Access VPN using RSA ID

Unanswered Question
May 20th, 2007

I want to configure remote access VPN using RSA ID.

i.e, instead of key command , I want client to endter the RSA ID. Is this possible . If yes, then could some help me out,please.

I am in bit urgency for this my management gave me this as a urgent requirement :-(

I am using 6500 switch with IPSEC/VPN accelerator module

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
ggilbert Mon, 05/21/2007 - 17:54

Is your requirement to use certificates instead of pre-shared key, is that what you are trying to do?

Are you trying to build a site to site tunnel or a remote access connection?

What kind of a CA server are going to use?

Let me know, I can give you some documentation.



inghau Wed, 05/23/2007 - 18:49

Hi Gilbert,

I'm having similiar issue in my setup.

Is it possible to setup an remoteaccess vpn using self-signed certificate from ASA ?

If that was not possible can you point me some documentation how to configure the fastest way to configure it.


ggilbert Thu, 05/24/2007 - 03:09

Hi Perkom,

No - you can not use the self-signed certificate on the ASA for remote access VPN connections. You have to use a CA server for that purpose.

Self-signed certificate can be used only for the purpose of webvpn/ssl VPN connections for validation.

The easiest way to configure a remote access VPN connection is to use the VPN wizard on the ASDM. It guides through the step by step process.

Here is the configuration example for that.

Hope this is what you are looking for.

Rate this post, if it helps.



inghau Thu, 05/24/2007 - 17:31

Hi Gilbert,

Thank you for your help.

I'd really appreciate it.

I'm planning to use Win 2003 CA Server but i can't find the guide how to configure the CA Server do you know where i can find those references ?

best regards,


inghau Thu, 05/24/2007 - 21:51

Hi Gilbert,

Thanks for your assistance. i'm currently developing the CA Server now

and following the instructions from the web page but when i try to authenticate there was some error.

What is the possible cause here ? perhaps you can point some directions to me :)

Best regards,


pdirect(config)# crypto ca authenticate cert

Crypto CA thread wakes up!

CRYPTO_PKI: Sending CA Certificate Request:

GET /CertSrv/mscep/mscep.dll/pkiclient.exe?operation=GetCACert&message=cert HTTP/1.0

CRYPTO_PKI: http connection opened

INFO: Certificate has the following attributes:

Fingerprint: 406e5696 459ecc7a e174e6ad 781e0cfd

Do you accept this certificate? [yes/no]: Crypto CA thread sleeps!


% CA Cert not yet valid or is expired -

start date: 12:19:37 JAVT May 26 2007

end date: 12:28:13 JAVT May 26 2012

% Error in saving certificate: status = FAIL


CRYPTO_PKI: status = 65535: failed to insert CA cert


ggilbert Fri, 05/25/2007 - 12:57


What kind of a CA server is it that you using?

Can you please send me the information that you have configured for the CA server before authentication to the server.

Awaiting for your response.



inghau Fri, 05/25/2007 - 18:48

Hi Gilbert,

I've configured a new 2003 Server, and the CA Server. and also install the SCEP Add-on on this server.

But the ASA seems failed to authenticate the CA eventough i 've following all the instructions here

the error message is on my previous message in these thread.

I suspect the CA configuration is need a little bit fine tuning.

But i can't find any guide how to finetune 2003 CA Server to match cico ASA.

Do you have any hints for me :)

best regards,


ggilbert Mon, 05/28/2007 - 19:57


Sorry for the delayed response.

Can you please send me the output of

sh run | begin crypto ca trustpoint



inghau Mon, 05/28/2007 - 20:34

Hi Gilbert,

That's okay i understand.

Currently the authentication issue is fixed now.

I configured the ASA and CA server using NTP.

I think the cisco guide shouldn't put OPTIONAL on the ASA_Cert.pdf guide.

I found that NTP is mandatory for these configuration.

Right now i can successfully configure the manual authentication and manual enrollment.

But i still can't import the PKCS#12 from the ASA to VPN Client.

Can i use manual certtificate authentication and enrollment in my configuration ?


ggilbert Tue, 05/29/2007 - 04:45


For the VPN client, you have to get the certificate directly from the CA server itself. Not from the ASA.



ggilbert Wed, 05/30/2007 - 05:34

What I would do is, just get the CA certificate (Root certificate) from the CA server and then package my client.

So, when the user gets the CD, the root certificate is already there but they just need to access the CA server and get their own user certificate

Or You can just package the client and give the user the URL http://certserver/mscep.....

information and instructions on how to get the certificate.




This Discussion