I want to configure remote access VPN using RSA ID.
i.e, instead of key command , I want client to endter the RSA ID. Is this possible . If yes, then could some help me out,please.
I am in bit urgency for this my management gave me this as a urgent requirement :-(
I am using 6500 switch with IPSEC/VPN accelerator module
Is your requirement to use certificates instead of pre-shared key, is that what you are trying to do?
Are you trying to build a site to site tunnel or a remote access connection?
What kind of a CA server are going to use?
Let me know, I can give you some documentation.
I'm having similiar issue in my setup.
Is it possible to setup an remoteaccess vpn using self-signed certificate from ASA ?
If that was not possible can you point me some documentation how to configure the fastest way to configure it.
No - you can not use the self-signed certificate on the ASA for remote access VPN connections. You have to use a CA server for that purpose.
Self-signed certificate can be used only for the purpose of webvpn/ssl VPN connections for validation.
The easiest way to configure a remote access VPN connection is to use the VPN wizard on the ASDM. It guides through the step by step process.
Here is the configuration example for that.
Hope this is what you are looking for.
Rate this post, if it helps.
Thank you for your help.
I'd really appreciate it.
I'm planning to use Win 2003 CA Server but i can't find the guide how to configure the CA Server do you know where i can find those references ?
Google search revealed this.
Rate this post if it helps.
Thanks for your assistance. i'm currently developing the CA Server now
and following the instructions from the web page but when i try to authenticate there was some error.
What is the possible cause here ? perhaps you can point some directions to me :)
pdirect(config)# crypto ca authenticate cert
Crypto CA thread wakes up!
CRYPTO_PKI: Sending CA Certificate Request:
GET /CertSrv/mscep/mscep.dll/pkiclient.exe?operation=GetCACert&message=cert HTTP/1.0
CRYPTO_PKI: http connection opened
INFO: Certificate has the following attributes:
Fingerprint: 406e5696 459ecc7a e174e6ad 781e0cfd
Do you accept this certificate? [yes/no]: Crypto CA thread sleeps!
% CA Cert not yet valid or is expired -
start date: 12:19:37 JAVT May 26 2007
end date: 12:28:13 JAVT May 26 2012
% Error in saving certificate: status = FAIL
CRYPTO_PKI: status = 65535: failed to insert CA cert
What kind of a CA server is it that you using?
Can you please send me the information that you have configured for the CA server before authentication to the server.
Awaiting for your response.
I've configured a new 2003 Server, and the CA Server. and also install the SCEP Add-on on this server.
But the ASA seems failed to authenticate the CA eventough i 've following all the instructions here http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008073b12b.shtml#maintask1
the error message is on my previous message in these thread.
I suspect the CA configuration is need a little bit fine tuning.
But i can't find any guide how to finetune 2003 CA Server to match cico ASA.
Do you have any hints for me :)
That's okay i understand.
Currently the authentication issue is fixed now.
I configured the ASA and CA server using NTP.
I think the cisco guide shouldn't put OPTIONAL on the ASA_Cert.pdf guide.
I found that NTP is mandatory for these configuration.
Right now i can successfully configure the manual authentication and manual enrollment.
But i still can't import the PKCS#12 from the ASA to VPN Client.
Can i use manual certtificate authentication and enrollment in my configuration ?
What I would do is, just get the CA certificate (Root certificate) from the CA server and then package my client.
So, when the user gets the CD, the root certificate is already there but they just need to access the CA server and get their own user certificate
Or You can just package the client and give the user the URL http://certserver/mscep.....
information and instructions on how to get the certificate.