I am attempting to establish a site to site VPN with a partner using ASA5515-X v9.1.
We are using IKEv1 to be old school and we are using my organization Microsoft 2012 CA to sign the certs and establish Trust Points on both devices.
My device is failing to complete Phase 1 negotiations as the certificate validation of the peer device cert fails due to the extended usage keys generated when signing that certificate.
We have used the offline IPSec template built in MS Certificate Services to sign the certs which I have seen referenced in a number of Cisco documents on CCO for such purposes.
Can anyone please advise the correct Extended Key Usage OID's I need to pass validation bearing in mind I also want to use the same cert for Anyconnect IPSec IKEv2 connections as well. I can then update the template. To be clear I want to do full validation of the certs, I am aware of work arounds but need strict validation.
I have now copied the MS IPSec Offline template and edited this to include IP Security Tunnel Termination. I have also either added (or just checked) the (Offline) IPsec template contained Server Authentication & IP Security Intermediate. I believe these are needed for ASDM and Anyconnect from a couple of Cisco documents not 100%
Using this template to sign my certificate I now have a certificate that passes strict key usage checking on my ASA5515-X and that I can use for ASDM SSL access, Lan 2 Lan IKEv1 IPSEC Tunnels and IKEv2 IPSec AnyConnect authentication. My CA was built on Windows Server 2012
The certificate can be used for singing IPSEC communication in tunnel mode
Hope this helps someone as it was not clear from any of the Cisco documentation I could find.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...