cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1867
Views
9
Helpful
13
Replies

Remote Access VPN using RSA ID

parveesm123
Level 1
Level 1

I want to configure remote access VPN using RSA ID.

i.e, instead of key command , I want client to endter the RSA ID. Is this possible . If yes, then could some help me out,please.

I am in bit urgency for this my management gave me this as a urgent requirement :-(

I am using 6500 switch with IPSEC/VPN accelerator module

13 Replies 13

ggilbert
Cisco Employee
Cisco Employee

Is your requirement to use certificates instead of pre-shared key, is that what you are trying to do?

Are you trying to build a site to site tunnel or a remote access connection?

What kind of a CA server are going to use?

Let me know, I can give you some documentation.

Thanks,

Gilbert

Hi Gilbert,

I'm having similiar issue in my setup.

Is it possible to setup an remoteaccess vpn using self-signed certificate from ASA ?

If that was not possible can you point me some documentation how to configure the fastest way to configure it.

Thanks

Hi Perkom,

No - you can not use the self-signed certificate on the ASA for remote access VPN connections. You have to use a CA server for that purpose.

Self-signed certificate can be used only for the purpose of webvpn/ssl VPN connections for validation.

The easiest way to configure a remote access VPN connection is to use the VPN wizard on the ASDM. It guides through the step by step process.

Here is the configuration example for that.

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008060f25c.shtml

Hope this is what you are looking for.

Rate this post, if it helps.

Cheers

Gilbert

Hi Gilbert,

Thank you for your help.

I'd really appreciate it.

I'm planning to use Win 2003 CA Server but i can't find the guide how to configure the CA Server do you know where i can find those references ?

best regards,

Sab

Sab,

Google search revealed this.

http://www.tacteam.net/isaserverorg/vpnkitbeta2/installstandaloneca.htm

Rate this post if it helps.

Cheers

Gilbert

Hi Gilbert,

Thanks for your assistance. i'm currently developing the CA Server now

and following the instructions from the web page but when i try to authenticate there was some error.

What is the possible cause here ? perhaps you can point some directions to me :)

Best regards,

Sab

pdirect(config)# crypto ca authenticate cert

Crypto CA thread wakes up!

CRYPTO_PKI: Sending CA Certificate Request:

GET /CertSrv/mscep/mscep.dll/pkiclient.exe?operation=GetCACert&message=cert HTTP/1.0

CRYPTO_PKI: http connection opened

INFO: Certificate has the following attributes:

Fingerprint: 406e5696 459ecc7a e174e6ad 781e0cfd

Do you accept this certificate? [yes/no]: Crypto CA thread sleeps!

yes

% CA Cert not yet valid or is expired -

start date: 12:19:37 JAVT May 26 2007

end date: 12:28:13 JAVT May 26 2012

% Error in saving certificate: status = FAIL

pdirect(config)#

CRYPTO_PKI: status = 65535: failed to insert CA cert

pdirect(config)#

Sab,

What kind of a CA server is it that you using?

Can you please send me the information that you have configured for the CA server before authentication to the server.

Awaiting for your response.

Cheers

Gilbert

Hi Gilbert,

I've configured a new 2003 Server, and the CA Server. and also install the SCEP Add-on on this server.

But the ASA seems failed to authenticate the CA eventough i 've following all the instructions here http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a008073b12b.shtml#maintask1

the error message is on my previous message in these thread.

I suspect the CA configuration is need a little bit fine tuning.

But i can't find any guide how to finetune 2003 CA Server to match cico ASA.

Do you have any hints for me :)

best regards,

Sab

Sab

Sorry for the delayed response.

Can you please send me the output of

sh run | begin crypto ca trustpoint

Thanks

Gilbert

Hi Gilbert,

That's okay i understand.

Currently the authentication issue is fixed now.

I configured the ASA and CA server using NTP.

I think the cisco guide shouldn't put OPTIONAL on the ASA_Cert.pdf guide.

I found that NTP is mandatory for these configuration.

Right now i can successfully configure the manual authentication and manual enrollment.

But i still can't import the PKCS#12 from the ASA to VPN Client.

Can i use manual certtificate authentication and enrollment in my configuration ?

Thanks

Sab,

For the VPN client, you have to get the certificate directly from the CA server itself. Not from the ASA.

Cheers

Gilbert

Can i use the manual request (http://certserver/certsrv)? or i have to use SCEP method (http://certserver/certsrv/mscep/mscep.dll) ?

I'm planning to roll out the certificate into the client's installation CD.

So we don't need to re-request certificate everytime we create new one.

Thanks a lot.

What I would do is, just get the CA certificate (Root certificate) from the CA server and then package my client.

So, when the user gets the CD, the root certificate is already there but they just need to access the CA server and get their own user certificate

Or You can just package the client and give the user the URL http://certserver/mscep.....

information and instructions on how to get the certificate.

Cheers

Gilbert

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: