Solved: RemoteAccess VPN to ASA 7.2(2) using using self-signed Certificate

inghau · ‎05-23-2007

Dear friends,

I need help or guide about how to setup as state in the title.

Is this configuration can be done? or the self-signed certificate can never be used for VPN certificate.

Unfortunately we can't deploy a dedicated CA Server.

But we can't use preshared-key authentication also because the configuration would force our ASA to disable the "isakmp am-disable" which is unacceptable according to our independent network auditor.

So the best solution i can think is we have to use self-signed certificate to accomodate this.

Please advice me if there is somehow i can use "isakmp am-disable" along with preshared key.

Can i generate certificate using my ASA box ? or i really need to use dedicated CA Server to make it work.

Here is an sample of the self-signed certificate from ASA but i can't import it to my Cisco VPN Client 5.0 it keep say "Error 39: Unable to import certificate"

MIIGpwIBAzCCBmEGCSqGSIb3DQEHAaCCBlIEggZOMIIGSjCCBkYGCSqGSIb3DQEH

...removed

SdCTfNIaE11Fm+rOMD0wITAJBgUrDgMCGgUABBS6s9ZMs6MoqQ0tdZuKRZuebbE3

owQU/z10f/Ew3XMfWBYSV5Eo3evqqgwCAgQA

I'll be very very grateful to any guidance provided.

Best Regards,

Sab

ggilbert · ‎05-25-2007

Sab,

You need to have a separate CA server to issue the certificates for the client and you need to enroll the ASA to the CA server.

You cant use the self-signed certificate on the ASA for the VPN client.

Cheers,

Gilbert

View solution in original post

ggilbert · ‎05-25-2007

Sab,

You need to have a separate CA server to issue the certificates for the client and you need to enroll the ASA to the CA server.

You cant use the self-signed certificate on the ASA for the VPN client.

Cheers,

Gilbert

inghau · ‎05-25-2007

Hi Gilbert,

this was my first post in forum, Thanks to you i know that we can't use self signed certificate for IPSecVPN.

Lets back to the other threads. i believe this thread is solved.

Thanks