Anyconnect and Certificate auth using SCEP failing
In short I'm getting the error "AnyConnect cannot confirm it is connected to your secure gateway"
I'm trying to use proxy SCEP, so that the anyconnect client actually enrolls with the CA via the ASA when building the connection, so that the user doesn't have to start going to places manually installing certificates on their machines.
I've been asked by a customer to bolt on to their existing AnyConnect solution I built, certificate authentication. I've built it in a lab on GNS. All goes well, I can get the anyconenct VPN to connect using the local DB users -fine. Then, I've set up a Cisco router as the CA and to auto-enroll, this works fine for the ASA, I get that enrolled and all working well. So it's all looking good at this point, but I cannot get the Anyconnect client to use the certificate like in all the docs I've read and videos I've watched of other people doing it.
I've done the following to set it up after the ASA is enrolled which I believe is correct:
1. Changed the SSL settings on the outside to use the new cert
2. Set the anyconnect profile to use cert and local authentication
3. Under the group policy for anyconnect, I've manually put in the scep url of http://x.x.x.x:80, the same one I enrolled the ASA with
4. Under the Anyconnect client profile I have enabled certificate enrollment and set the same CA url in here too
But as soon as I fire up the Anyconnect session, I get the error "AnyConnect cannot confirm it is connected to your secure gateway" ????
As soon as I go back into the connection profile and drop it back to LOCAL auth, it works fine again?!
Both the ASA and Client PC have reachablility to the CA server.
On a side note, I put the CA server router on the OUTSIDE of the firewall, as I've no idea how the client PC is meant to communicate with it otherwise? If the tunnel isn't built, how can the client get to the CA server located on the inside of the firewall? -That doesn't make sense?
Any advice much appreciated. If there's a guide building this from scratch, that'd be even better!! Most of the guides only show you how to configure SCEP on the ASA, not how to build the rest of the setup including the client and CA server
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...