Need instruction on creating a VPN certificate

Posted on 2007-10-03
Last Modified: 2016-08-29
I need instruction on creating and authenticating a vpn certificate for individual user. So that certificate can be requested, issued and athenticated from outside the network. I need to know how to configure the VPN client in order to make it work with our Cisco ASA. Thanks for your help.
Question by:gman14
    LVL 79

    Expert Comment

    If you want to use Windows CA server:
    What version VPN client?
    The procedure would be basically the same with any other client. Request the cert from the CA server, download the cert and import it.
    Procedures for 4.6
    5.0 client will be same procedure as 4.6 through the VPN Client GUI interface.

    Author Comment

    Thanks about it. i actually tried what was stated on the links you had provided but when i tried to connect with a certificate i had created, this was what i got---

    Cisco Systems VPN Client Version
    Copyright (C) 1998-2005 Cisco Systems, Inc. All Rights Reserved.
    Client Type(s): Windows, WinNT
    Running on: 5.1.2600 Service Pack 2

    93     17:31:29.796  10/03/07  Sev=Info/4      CM/0x63100002
    Begin connection process

    94     17:31:29.812  10/03/07  Sev=Info/4      CM/0x63100004
    Establish secure connection using Ethernet

    95     17:31:29.812  10/03/07  Sev=Info/4      CM/0x63100024
    Attempt connection with server ""

    96     17:31:30.812  10/03/07  Sev=Info/6      IKE/0x6300003B
    Attempting to establish a connection with

    97     17:31:30.875  10/03/07  Sev=Info/4      IKE/0x63000013
    SENDING >>> ISAKMP OAK MM (SA, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to

    98     17:31:30.890  10/03/07  Sev=Info/4      IPSEC/0x63700008
    IPSec driver successfully started

    99     17:31:30.890  10/03/07  Sev=Info/4      IPSEC/0x63700014
    Deleted all keys

    100    17:31:36.312  10/03/07  Sev=Info/4      IKE/0x63000021
    Retransmitting last packet!

    101    17:31:36.312  10/03/07  Sev=Info/4      IKE/0x63000013
    SENDING >>> ISAKMP OAK MM (Retransmission) to

    102    17:31:41.312  10/03/07  Sev=Info/4      IKE/0x63000021
    Retransmitting last packet!

    103    17:31:41.312  10/03/07  Sev=Info/4      IKE/0x63000013
    SENDING >>> ISAKMP OAK MM (Retransmission) to

    104    17:31:46.312  10/03/07  Sev=Info/4      IKE/0x63000021
    Retransmitting last packet!

    105    17:31:46.312  10/03/07  Sev=Info/4      IKE/0x63000013
    SENDING >>> ISAKMP OAK MM (Retransmission) to

    106    17:31:51.312  10/03/07  Sev=Info/4      IKE/0x63000017
    Marking IKE SA for deletion  (I_Cookie=9F5A9C309A965466 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

    107    17:31:51.812  10/03/07  Sev=Info/4      IKE/0x6300004B
    Discarding IKE SA negotiation (I_Cookie=9F5A9C309A965466 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

    108    17:31:51.812  10/03/07  Sev=Info/4      CM/0x63100014
    Unable to establish Phase 1 SA with server "" because of "DEL_REASON_PEER_NOT_RESPONDING"

    109    17:31:51.812  10/03/07  Sev=Info/5      CM/0x63100025
    Initializing CVPNDrv

    110    17:31:51.812  10/03/07  Sev=Info/4      IKE/0x63000001
    IKE received signal to terminate VPN connection

    111    17:31:51.828  10/03/07  Sev=Info/4      IKE/0x63000086
    Microsoft IPSec Policy Agent service started successfully

    112    17:31:51.828  10/03/07  Sev=Info/4      IPSEC/0x63700014
    Deleted all keys

    113    17:31:51.828  10/03/07  Sev=Info/4      IPSEC/0x63700014
    Deleted all keys

    114    17:31:51.828  10/03/07  Sev=Info/4      IPSEC/0x63700014
    Deleted all keys

    115    17:31:51.828  10/03/07  Sev=Info/4      IPSEC/0x6370000A
    IPSec driver successfully stopped
    LVL 79

    Accepted Solution

    Looks like issues unrelated to the certificates.
    You would have to post the complete config for analysis.
    If you are not comfortable posting directly in this forum, you can post a .txt file of the config here:
    Then post a link back here to the document.

    Author Comment

    Thanks. i have posted both the
    client debug-

    if that helps
    LVL 79

    Expert Comment

    I would need to see the complete configuration of the ASA. Can you post it up to ee-stuff?

    Author Comment

    LVL 79

    Expert Comment

    >access-list splittunnel standard permit
    You can remove this, it is not necessary to add the vpn ip pool to the list.

    >access-list combolist extended permit ip
    Is it your intent that the VPN users can only access the subnet?

    >route inside
    Does this router at have a route back to this ASA for the vpn ip pool subnet?

    From the debug:
    >All SA proposals found unacceptable

    this appears to have been fixed with the proper transform/policy match
    >outside_dyn_map 20 set transform-set ESP-3DES-SHA
    Matches the policy, so that error message does not show up again in the debug logs.
       crypto isakmp policy 10
        authentication pre-share
        encryption 3des
        hash sha
        group 2
        lifetime 86400

    It appears that the certificate exchange is good, but something else is preventing phase1 from completing.
    I hate to say it, but I'd punt this one over to Cisco TAC and see if they can help. I just don't have enough experience at debugging using certificates....


    Author Comment


    route inside

    is for our VOIP phones which has to be in another subnet different from our main subnet. I have placed the issue with Cisco TAC, hopefully i find a solution to that. Thanks for all your help
    LVL 6

    Expert Comment

    i know this is very old, but did you get it resolved? i have the same problem

    Featured Post

    6 Surprising Benefits of Threat Intelligence

    All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

    Join & Write a Comment

    Suggested Solutions

    Title # Comments Views Activity
    Cisco 2921 WIC card 2 35
    Cisco ASA 5505 Configuration Issue 8 34
    Cisco ASA two factor VPN 3 14
    RDP through VPN setup 9 21
    If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
    For a while, I have wanted to connect my HTC Incredible to my corporate network to take advantage of the phone's powerful capabilities. I searched online and came up with varied answers from "it won't work" to super complicated statements that I did…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now