cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2680
Views
10
Helpful
7
Replies

IPSec RemoteAccess VPN with Local CA

Hi guys,

I have IPSec RemoteAccess VPN with local EAP authentication up and running, but I want to additionally protect it with certificates. I guess, it is called "mutual authentication". I have several qustions at this point:

1) Can I use Local CA feature built-in in ASA to issue and manage certificates to IPSec Remote Access VPN. The point is, that the manual states that "The local CA provides a certificate authority on the adaptive security appliance for use with SSL VPN connections, both browser- and client-based" and I've been wondering if it means that Local CA is not suitable for IPSec VPNs and I would have to use an external CA. Is it correct?

2) I've tried to enable Local CA at ASA. When I got an enrollment link which is I guess used to get the identity sertificate from CA, I clicked on the link https://x.x.x.x/+CSCOCA+/enroll.html and got a login request. I tried to log in with user credentials used to issue an indentity sertificate (username and password) but got the login screen back. I was able to process further only with ASA administrator credentials, not certificate user ones. But even when I logged into this link with ASA administrator account details I got 404 error stated that "The requested URL /admin/ CSCOCA /enroll.html was not found on this server." If not sure if I am doing all coreectly, so please point me on what I am doing wrong.

3) If there is no way to get Local CA working (or Local CA is not suitable for IPSec-based RemoteAccess VPNs) I can generate CA and identity certificates on exterlan CA host (Linux based). Then I can import CA root and identity certificates both on ASA and clients and hopefully get it up and running. BUT! How would I control revocation of the certificates made on external CA? Potentially, I would have CRL from external CA, bu I have no adea how to attach it to ASA to let it know that particular certicates has been revoced (like when employee fired or smth and shoud not be anymore allowed to access VPN)

Thanks in advance.

7 Replies 7

Marcin Latosiewicz
Cisco Employee
Cisco Employee

Sergey,

Yes (technically speaking) local CA can be used to authenticate IPsec peers, but it requires a bit more effort, and as far as I understand is not officially supported since it was never meant to work together.

The credentials you're supposed to use when enrolling to Local CA some in an email ASA sends, that's why it's a required step to configure SMTP.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/cert_cfg.html

Regarding CRL, you can always point to any place when generating certificates (via CDP) or when the certs are already cooked via CRL override (at least in case of IOS).

If you have an IOS router - it can be your CA.

Marcin

Hi Marcin,

Thanks for your reply.

I guess, I won't have it working with Local CA...

Btw, regarding credentials I've tried to enter while I was getting identity certificate from Local CA - yes, I've tried to enter the ones I got from enrollment letter (meaning I did have SMTP details configured). But it hasn't been succeed. I wasn't able to login with details from enrollment e-mail, only with local username and password that ut used to access ASDM\console.

Maybe I missed something with CRL but I thought that the ASA side should have this to control which remote certificate is allowed to login. Lets say I have an external CA, I have CRL on it and can revoke and issue identity certificates for remote end. Revocation list is stored on external CA. At ASA intself I have only root CA certificate and ASA's identity certificate. At the remote site a have root CA certificate and client's identity certificate. I just don't understand for ASA would guess if for example particular certificate has been revoked if this information is stored at external CA and there is no way (at least I haven't been able to find any configration field for it in ASDM) to point ASA to this CRL file to make it aware of these operations.

Sorry, if I am asking about some well-known stuff.

Thanks in advance.

Sergey,

It's odd about the authentication failing.

I would check some debugs if you're interested to pursue this avenue 

Regarding CRL - each identity certificate should have a CRL/CDP specified in it. Attaching certificate from forums for reference.

You check validity per received certifiicate. The CRL/CDP can be external to the server itself or stored on the server, it up to whoever design particular PKI system.

Marcin

Ok, I'd been struggling with Local CA for couple of days untill I finally decided go for external one.

I got it up and running with external Microsoft 2008 Server based CA. Thanks a lot for your help.

PS: The thing which is very weird for me is: why Local CA is still present in ASDM interface and official configuration

guides if it is not supported?

Sergey,

I think my phrasing was incorrect, not a native speaker :-)

We support and developed local CA for SSL VPN only not for IPsec.

Marcin

AVSSYSTEME
Level 1
Level 1

at Point 2)

i ve had the same probleme once

i had to open the webvpn portal

ciscoasa(conf-t)#: webvpn

ciscoasa(conf-t)#: enable outside

maybe it helps for someone :-)

I have this same problem, and did what you suggested, but, from the debug,

HTTP: file not found:  CSCOCA /enroll.html

Totaly lost on this one. It worked at first, then I had an issue with hte wrong certificate, removed the configuration, and reloaded the ASA with a pre ca server configuration, and reapplied the ca server setup and now get the 404 not found.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: