Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 5699
  • Last Modified:

Need instruction on creating a VPN certificate

I need instruction on creating and authenticating a vpn certificate for individual user. So that certificate can be requested, issued and athenticated from outside the network. I need to know how to configure the VPN client in order to make it work with our Cisco ASA. Thanks for your help.
0
gman14
Asked:
gman14
  • 4
  • 4
1 Solution
 
lrmooreCommented:
If you want to use Windows CA server:
http://cisco.com/en/US/products/ps6120/products_configuration_example09186a008073b12b.shtml
What version VPN client?
http://cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008009468a.shtml
The procedure would be basically the same with any other client. Request the cert from the CA server, download the cert and import it.
Procedures for 4.6
http://www.cisco.com/en/US/docs/security/vpn_client/cisco_vpn_client/vpn_client46/win/user/guide/vc6.html
5.0 client will be same procedure as 4.6 through the VPN Client GUI interface.
0
 
gman14Author Commented:
Thanks about it. i actually tried what was stated on the links you had provided but when i tried to connect with a certificate i had created, this was what i got---

Cisco Systems VPN Client Version 4.8.00.0440
Copyright (C) 1998-2005 Cisco Systems, Inc. All Rights Reserved.
Client Type(s): Windows, WinNT
Running on: 5.1.2600 Service Pack 2

93     17:31:29.796  10/03/07  Sev=Info/4      CM/0x63100002
Begin connection process

94     17:31:29.812  10/03/07  Sev=Info/4      CM/0x63100004
Establish secure connection using Ethernet

95     17:31:29.812  10/03/07  Sev=Info/4      CM/0x63100024
Attempt connection with server "12.167.19.194"

96     17:31:30.812  10/03/07  Sev=Info/6      IKE/0x6300003B
Attempting to establish a connection with 12.167.19.194.

97     17:31:30.875  10/03/07  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK MM (SA, VID(Xauth), VID(dpd), VID(Frag), VID(Nat-T), VID(Unity)) to 12.167.19.194

98     17:31:30.890  10/03/07  Sev=Info/4      IPSEC/0x63700008
IPSec driver successfully started

99     17:31:30.890  10/03/07  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

100    17:31:36.312  10/03/07  Sev=Info/4      IKE/0x63000021
Retransmitting last packet!

101    17:31:36.312  10/03/07  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK MM (Retransmission) to 12.167.19.194

102    17:31:41.312  10/03/07  Sev=Info/4      IKE/0x63000021
Retransmitting last packet!

103    17:31:41.312  10/03/07  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK MM (Retransmission) to 12.167.19.194

104    17:31:46.312  10/03/07  Sev=Info/4      IKE/0x63000021
Retransmitting last packet!

105    17:31:46.312  10/03/07  Sev=Info/4      IKE/0x63000013
SENDING >>> ISAKMP OAK MM (Retransmission) to 12.167.19.194

106    17:31:51.312  10/03/07  Sev=Info/4      IKE/0x63000017
Marking IKE SA for deletion  (I_Cookie=9F5A9C309A965466 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

107    17:31:51.812  10/03/07  Sev=Info/4      IKE/0x6300004B
Discarding IKE SA negotiation (I_Cookie=9F5A9C309A965466 R_Cookie=0000000000000000) reason = DEL_REASON_PEER_NOT_RESPONDING

108    17:31:51.812  10/03/07  Sev=Info/4      CM/0x63100014
Unable to establish Phase 1 SA with server "12.167.19.194" because of "DEL_REASON_PEER_NOT_RESPONDING"

109    17:31:51.812  10/03/07  Sev=Info/5      CM/0x63100025
Initializing CVPNDrv

110    17:31:51.812  10/03/07  Sev=Info/4      IKE/0x63000001
IKE received signal to terminate VPN connection

111    17:31:51.828  10/03/07  Sev=Info/4      IKE/0x63000086
Microsoft IPSec Policy Agent service started successfully

112    17:31:51.828  10/03/07  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

113    17:31:51.828  10/03/07  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

114    17:31:51.828  10/03/07  Sev=Info/4      IPSEC/0x63700014
Deleted all keys

115    17:31:51.828  10/03/07  Sev=Info/4      IPSEC/0x6370000A
IPSec driver successfully stopped
0
 
lrmooreCommented:
>DEL_REASON_PEER_NOT_RESPONDING
Looks like issues unrelated to the certificates.
You would have to post the complete config for analysis.
If you are not comfortable posting directly in this forum, you can post a .txt file of the config here:  http://www.ee-stuff.com
Then post a link back here to the document.
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
gman14Author Commented:
Thanks. i have posted both the
client debug-  https://filedb.experts-exchange.com/incoming/ee-stuff/4920-VPN-client--debug.txt

if that helps
0
 
lrmooreCommented:
I would need to see the complete configuration of the ASA. Can you post it up to ee-stuff?
0
 
lrmooreCommented:
>access-list splittunnel standard permit 10.30.0.0 255.255.255.0
You can remove this, it is not necessary to add the vpn ip pool to the list.

>access-list combolist extended permit ip 172.31.176.0 255.255.255.0 10.30.0.0 255.255.255.0
Is it your intent that the VPN users can only access the 172.31.176.0 subnet?

>route inside 172.31.176.0 255.255.255.0 10.8.0.254
Does this router at 10.8.0.254 have a route back to this ASA for the 10.30.0.0/24 vpn ip pool subnet?

From the debug:
>All SA proposals found unacceptable

this appears to have been fixed with the proper transform/policy match
>outside_dyn_map 20 set transform-set ESP-3DES-SHA
Matches the policy, so that error message does not show up again in the debug logs.
   crypto isakmp policy 10
    authentication pre-share
    encryption 3des
    hash sha
    group 2
    lifetime 86400

It appears that the certificate exchange is good, but something else is preventing phase1 from completing.
I hate to say it, but I'd punt this one over to Cisco TAC and see if they can help. I just don't have enough experience at debugging using certificates....

0
 
gman14Author Commented:
172.31.176.0 255.255.255.0 10.30.0.0 255.255.255.0

route inside 172.31.176.0 255.255.255.0 10.8.0.254

is for our VOIP phones which has to be in another subnet different from our main subnet. I have placed the issue with Cisco TAC, hopefully i find a solution to that. Thanks for all your help
0
 
nhidalgoCommented:
i know this is very old, but did you get it resolved? i have the same problem
0

Featured Post

IT Degree with Certifications Included

Aspire to become a network administrator, network security analyst, or computer and information systems manager? Make the most of your experience as an IT professional by earning your B.S. in Network Operations and Security.

  • 4
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now