05-20-2007 09:03 PM - edited 02-21-2020 03:04 PM
I want to configure remote access VPN using RSA ID.
i.e, instead of key command , I want client to endter the RSA ID. Is this possible . If yes, then could some help me out,please.
I am in bit urgency for this my management gave me this as a urgent requirement :-(
I am using 6500 switch with IPSEC/VPN accelerator module
05-21-2007 05:54 PM
Is your requirement to use certificates instead of pre-shared key, is that what you are trying to do?
Are you trying to build a site to site tunnel or a remote access connection?
What kind of a CA server are going to use?
Let me know, I can give you some documentation.
Thanks,
Gilbert
05-23-2007 06:49 PM
Hi Gilbert,
I'm having similiar issue in my setup.
Is it possible to setup an remoteaccess vpn using self-signed certificate from ASA ?
If that was not possible can you point me some documentation how to configure the fastest way to configure it.
Thanks
05-24-2007 03:09 AM
Hi Perkom,
No - you can not use the self-signed certificate on the ASA for remote access VPN connections. You have to use a CA server for that purpose.
Self-signed certificate can be used only for the purpose of webvpn/ssl VPN connections for validation.
The easiest way to configure a remote access VPN connection is to use the VPN wizard on the ASDM. It guides through the step by step process.
Here is the configuration example for that.
http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008060f25c.shtml
Hope this is what you are looking for.
Rate this post, if it helps.
Cheers
Gilbert
05-24-2007 05:31 PM
Hi Gilbert,
Thank you for your help.
I'd really appreciate it.
I'm planning to use Win 2003 CA Server but i can't find the guide how to configure the CA Server do you know where i can find those references ?
best regards,
Sab
05-24-2007 06:18 PM
Sab,
Google search revealed this.
http://www.tacteam.net/isaserverorg/vpnkitbeta2/installstandaloneca.htm
Rate this post if it helps.
Cheers
Gilbert
05-24-2007 09:51 PM
Hi Gilbert,
Thanks for your assistance. i'm currently developing the CA Server now
and following the instructions from the web page but when i try to authenticate there was some error.
What is the possible cause here ? perhaps you can point some directions to me :)
Best regards,
Sab
pdirect(config)# crypto ca authenticate cert
Crypto CA thread wakes up!
CRYPTO_PKI: Sending CA Certificate Request:
GET /CertSrv/mscep/mscep.dll/pkiclient.exe?operation=GetCACert&message=cert HTTP/1.0
CRYPTO_PKI: http connection opened
INFO: Certificate has the following attributes:
Fingerprint: 406e5696 459ecc7a e174e6ad 781e0cfd
Do you accept this certificate? [yes/no]: Crypto CA thread sleeps!
yes
% CA Cert not yet valid or is expired -
start date: 12:19:37 JAVT May 26 2007
end date: 12:28:13 JAVT May 26 2012
% Error in saving certificate: status = FAIL
pdirect(config)#
CRYPTO_PKI: status = 65535: failed to insert CA cert
pdirect(config)#
05-25-2007 12:57 PM
Sab,
What kind of a CA server is it that you using?
Can you please send me the information that you have configured for the CA server before authentication to the server.
Awaiting for your response.
Cheers
Gilbert
05-25-2007 06:48 PM
Hi Gilbert,
I've configured a new 2003 Server, and the CA Server. and also install the SCEP Add-on on this server.
But the ASA seems failed to authenticate the CA eventough i 've following all the instructions here http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008073b12b.shtml#maintask1
the error message is on my previous message in these thread.
I suspect the CA configuration is need a little bit fine tuning.
But i can't find any guide how to finetune 2003 CA Server to match cico ASA.
Do you have any hints for me :)
best regards,
Sab
05-28-2007 07:57 PM
Sab
Sorry for the delayed response.
Can you please send me the output of
sh run | begin crypto ca trustpoint
Thanks
Gilbert
05-28-2007 08:34 PM
Hi Gilbert,
That's okay i understand.
Currently the authentication issue is fixed now.
I configured the ASA and CA server using NTP.
I think the cisco guide shouldn't put OPTIONAL on the ASA_Cert.pdf guide.
I found that NTP is mandatory for these configuration.
Right now i can successfully configure the manual authentication and manual enrollment.
But i still can't import the PKCS#12 from the ASA to VPN Client.
Can i use manual certtificate authentication and enrollment in my configuration ?
Thanks
05-29-2007 04:45 AM
Sab,
For the VPN client, you have to get the certificate directly from the CA server itself. Not from the ASA.
Cheers
Gilbert
05-29-2007 05:43 PM
Can i use the manual request (http://certserver/certsrv)? or i have to use SCEP method (http://certserver/certsrv/mscep/mscep.dll) ?
I'm planning to roll out the certificate into the client's installation CD.
So we don't need to re-request certificate everytime we create new one.
Thanks a lot.
05-30-2007 05:34 AM
What I would do is, just get the CA certificate (Root certificate) from the CA server and then package my client.
So, when the user gets the CD, the root certificate is already there but they just need to access the CA server and get their own user certificate
Or You can just package the client and give the user the URL http://certserver/mscep.....
information and instructions on how to get the certificate.
Cheers
Gilbert
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: