Ipsec cisco vpn client <==> Cisco ios router

Answered Question
Sep 20th, 2011

Hi,

I need to implement ipsec vpn for about 10-15 users. They all use cisco vpn client 5.x and we have a cisco ios router in the office. We already have a working situation for these users. However it has become a need that only known devices (company laptops) are allowed to setup a vpn.

I figure the only way to accomplish this is to use certificates. But we don't won't to buy certificates if there's a free way to set this up. So my question is

1) What options do I have to setup ipsec vpn, where only known devices can succesfully setup a vpn and all other unknown devices are blocked?

2) If certificates is the only way. Can I somehow produce these certificates myself using cisco ios router?

3) anyone have a example of a similar setup/configuration?

Thanks in advance.

Regards,

M.

I have this problem too.
0 votes
Correct Answer by Jennifer Halim about 3 years 11 months ago

Unfortunately if you connect to IOS router, there is no other way except using certificate. If you are connecting to a Cisco ASA firewall, then you can identify company laptop using DAP (Dynamic Access Policy).

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Jennifer Halim Tue, 09/20/2011 - 01:57

1) Yes, you are on the right track. You can accomplish that with using certificate to authenticate the user.

2) Yes, you can configure the IOS router to be the CA server.

3) Here is the configuration guide for your reference:

http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_cfg_mng_cert_serv_ps10592_TSD_Products_Configuration_Guide_Chapter.html

Hope this helps.

michellpoulina Tue, 09/20/2011 - 02:08

Thanks a lot Jennifer. I will have a look at this now.

Can I conclude that there is no other way of doing this other than using certificates?

Correct Answer
Jennifer Halim Tue, 09/20/2011 - 02:15

Unfortunately if you connect to IOS router, there is no other way except using certificate. If you are connecting to a Cisco ASA firewall, then you can identify company laptop using DAP (Dynamic Access Policy).

Actions

This Discussion

Related Content