Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IPSec Certificates Validation Failure

Hi

I am attempting to establish a site to site VPN with a partner using ASA5515-X v9.1.

 

We are using IKEv1 to be old school and we are using my organization Microsoft 2012 CA to sign the certs and establish Trust Points on both devices.

My device is failing to complete Phase 1 negotiations as the certificate validation of the peer device cert fails due to the extended usage keys generated when signing that certificate.

We have used the offline IPSec template built in MS Certificate Services to sign the certs which I have seen referenced in a number of Cisco documents on CCO for such purposes.

Can anyone please advise the correct Extended Key Usage OID's I need to pass validation bearing in mind I also want to use the same cert for Anyconnect IPSec IKEv2 connections as well. I can then update the template. To be clear I want to do full validation of the certs, I am aware of work arounds but need strict validation.

 

I have see the following elsewhere on the Web

 

clientAuth 1.3.6.1.5.5.7.3.2
ipsecEndSystem 1.3.6.1.5.5.7.3.5
ipsecTunnel 1.3.6.1.5.5.7.3.6
ipsecUser 1.3.6.1.5.5.7.3.7

ipsecIntermediate

 

Thanks Paul

 

 

1 REPLY
New Member

So as no one responded I

So as no one responded I created a cert with as many of the Enhanced Key Usage OID's as I could and debugged crypto ca, ca messages, & ca transactions and found the following OID was acceptable (See blue text below taken from http://msdn.microsoft.com/en-us/library/windows/desktop/aa378132(v=vs.85).aspx ))

I have now copied the MS IPSec Offline template and edited this to include IP Security Tunnel Termination.  I have also either added (or just checked) the (Offline) IPsec template contained Server Authentication & IP Security Intermediate. I believe these are needed for ASDM and Anyconnect from a couple of Cisco documents not 100%

Using this template to sign my certificate I now have a certificate that passes strict key usage checking on my ASA5515-X and that I can use for ASDM SSL access, Lan 2 Lan IKEv1 IPSEC Tunnels and IKEv2 IPSec AnyConnect authentication. My CA was built on Windows Server 2012 

IPSEC_TUNNEL

(1.3.6.1.5.5.7.3.6)

The certificate can be used for singing IPSEC communication in tunnel mode

 

Hope this helps someone as it was not clear from any of the Cisco documentation I could find.

186
Views
0
Helpful
1
Replies