Solved: ASA - Site to Site with Self-signed Certificates

chris-lawrence · ‎09-28-2013

Team,

ASA version 9.1(3), ASDM 7.1(4) on 5505.

I've got a pair of Cisco ASA 5505's that I am trying to establish a tunnel. I make it all work with PSK. IKEv2 with AES256 IPSec. No issues...

However, I have been told that I can self-sign certificates and use those to authenticate each firewall to the other. I have been trying for hours.. Generating certs in all combinations and options and exporting the P12's into the other firewall, adding them in - No problems

I have self signed all the certs so there is no CA.

Then I go back into the connection profile and remove the PSK - flip over to RSA-SIG in the IKE Policy.

Does anyone have this working with the ASA version I am running and care to share your snippets of configuration especially how you created the keypair, self-signed it, exported and adding it in the adjacent firewall?

I don't want to use PSK for authentication.

Help!

Karsten Iwen · ‎09-29-2013

I never used it that way without a CA so I can't guarantee that it will work, but one thing is often forgotten with digital certificates: Have you assigned the cert ID-Cert in the crypto-map?

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

Karsten Iwen · ‎09-29-2013

I never used it that way without a CA so I can't guarantee that it will work, but one thing is often forgotten with digital certificates: Have you assigned the cert ID-Cert in the crypto-map?

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

chris-lawrence · ‎09-29-2013

Hi,

I believe I am - this is what I have done...

ASA #1

======

crypto map outside_map 1 match address outside_cryptomap

crypto map outside_map 1 set pfs group5

crypto map outside_map 1 set peer aaa.bbb.ccc.ddd

crypto map outside_map 1 set ikev1 transform-set ESP-AES-256-SHA

crypto map outside_map 1 set ikev2 ipsec-proposal AES256

crypto map outside_map 1 set trustpoint ASDM_TrustPoint0

crypto map outside_map interface outside

crypto ca trustpoint ASDM_TrustPoint0

enrollment self

subject-name CN=asa1.domain.com

keypair Site2SiteVPN

crl configure

crypto ca trustpoint ASDM_TrustPoint1

enrollment self

keypair ASDM_TrustPoint1

crl configure

crypto ca trustpool policy

crypto ca certificate chain ASDM_TrustPoint0

certificate 807d4

quit

crypto ca certificate chain ASDM_TrustPoint1

certificate 687d4

quit

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 5

prf sha

lifetime seconds 86400

crypto ikev2 enable outside

crypto ikev1 enable outside

crypto ikev1 policy 20

ASA #2

======

crypto map outside_map 1 match address outside_cryptomap

crypto map outside_map 1 set pfs group5

crypto map outside_map 1 set peer eee.fff.ggg.hhh

crypto map outside_map 1 set ikev1 transform-set ESP-AES-256-SHA

crypto map outside_map 1 set ikev2 ipsec-proposal AES256

crypto map outside_map 1 set trustpoint ASDM_TrustPoint0

crypto map outside_map interface outside

crypto ca trustpoint ASDM_TrustPoint0

enrollment self

subject-name CN=asa2.domain.com

keypair Site2SiteVPN

crl configure

crypto ca trustpoint ASDM_TrustPoint1

enrollment self

keypair ASDM_TrustPoint1

crl configure

crypto ca trustpool policy

crypto ca certificate chain ASDM_TrustPoint0

certificate 687d4

quit

crypto ca certificate chain ASDM_TrustPoint1

certificate 807d4

quit

crypto ikev2 policy 1

encryption aes-256

integrity sha

group 5

prf sha

lifetime seconds 86400

crypto ikev2 enable outside

crypto ikev1 enable outside

crypto ikev1 policy 20

authentication rsa-sig

encryption aes-256

hash sha

group 2

lifetime 86400

What I am pulling from the log file:

%ASA-3-717021: Certificate data could not be verified. Locate Reason:

reason_string serial number: serial number, subject name: subject name, key length

key length bits.

An attempt to verify the certificate that is identified by the serial number and subject name was unsuccessful for the specified reason. When verifying certificate data using the signature, several errors can occur that should be logged, including invalid key types and unsupported key size.

• reason_string—The reason that the certificate cannot be verified

• serial number—Serial number of the certificate that is being verified

• subject name—Subject name included in the certificate that is being verified

• key length—The number of bits in the key used to sign this certificate

chris-lawrence · ‎10-02-2013

Hello Everyone,

I opened a TAC with Cisco - Don't believe what you hear in the public domain - Cisco advises that you cannot use self-signed certificates to authenticate to. Nor can you use the built in CA to do it either.

A third party CA is all you can do.

This kind of makes sense because why is the reason you would go to certificates anyway? So that you can third party authenticate your peer and also if there is compromise of a peer, revoke its certificate so it becomes un-trusted.

Therefore - don't waste your time like I did because it doesn't work.

Have a nice day and happy computing!

Chris