Solved

Cisco VPN Client & Certificate

Posted on 2011-09-13
6
892 Views
Last Modified: 2012-05-12
Hello Experts,

I have a Multiple Domains UCC SSL Certificate for our Exchange 2007. I was wondering if I could somehow use this certificate for my Cisco VPN Client 5.0. There is a tab called "Certificates" and wanted to make use of my SSL certificate if possible.

Thanks!
0
Comment
Question by:katredrum
  • 3
  • 2
6 Comments
 
LVL 18

Expert Comment

by:jmeggers
ID: 36538140
Maybe I'm missing something but you don't typically need a certificate for IPsec tunnels unless you're using certificate-based authentication.  If you use pre-shared keys, you don't need it.  If you do choose to do certificate-based authentication, you'll need a CA server on the inside.  It's my understanding the ASA cannot act as a CA server for IPsec connections, only SSL VPN.
0
 
LVL 1

Author Comment

by:katredrum
ID: 36539353
I thought so too, but then I was like why is there an option to import certificates into a IPSec VPN client...

Here's what the manual says:

Connecting with Digital Certificates

Before you create a VPN Client connection entry using a digital certificate, you must have already enrolled in a Public Key Infrastructure (PKI), have received approval from the Certificate Authority (CA), and have one or more certificates installed on the VPN Client system. If this is not the case, then you need to obtain a digital certificate. You can obtain one by enrolling with a PKI directly using the Certificate Manager feature, or you can obtain an Entrust profile through Entrust Entelligence. Currently, we have tested the following PKIs:

http://www.cisco.com/en/US/docs/security/vpn_client/cisco_vpn_client/vpn_client500_501/administration/5vcAch4.html
0
 
LVL 16

Expert Comment

by:SteveJ
ID: 36540021
You either need to provide your own PKI infrastructure (using Cisco IOS CA, its cheap) or one of the few public PKI that cisco supports, either Microsoft or Entrust.

Preshared keys doesnt scale well which is why certs with IPSec is a good idea..  . unless you have a small network and you can manage the psk stuff..
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 1

Author Comment

by:katredrum
ID: 36540036
SteveJ, thanks for shedding some light on this. So I'm trying to figure out how to do this. When you say I need to provide my own PKI infrastructure public what do you mean? Could you please elaborate how I would set this up? Thanks in advance!
0
 
LVL 16

Accepted Solution

by:
SteveJ earned 500 total points
ID: 36540275
You can use a cisco router as a CA and enrillment server. You set up the CA, then the enrollent server, then set up a remote router with RSA keys and point it toward the enrollment server. The enrollment server creates the cert and then is able to open an IPSec tunnrl using the cert to authenticste. The head end router (where all the ipsec tunnels terminate) also enrolls and can be set up as a cert revocation point for the CA to publish a CRL to.

I have done this with a cisco 3845 for hundreds of remote routers and saved a ton of money over purchasing verisign certs. Essentially you are using self signed certs and dont need access to an external (costly) CA.

I have greatly oversimplified the explanation. Google "cisco ios ca" and you should be able to find a detailed documnent, or post questions and I will answer what I can.

Steve
0
 
LVL 16

Expert Comment

by:SteveJ
ID: 36540287
By the way, all the PKI stuff can be done on a single router. If you want to be able to recover certs
, you need to set up storage for them. Or make them non exportable and if something bad happens simply re-enroll the device.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
How to configure AT&T Netgate with Sonicwall Firewall 24 64
Cisco ASA and Watchguard firewall 2 37
CISCO Smartnet agreement 5 33
Juniper VPN for Mac and windows OS 5 36
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
This past year has been one of great growth and performance for OnPage. We have added many features and integrations to the product, making 2016 an awesome year. We see these steps forward as the basis for future growth.
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

786 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question