Can we run AnyConnect using self signed certificates?

I have a lab that I want to build a tunnel to remote access for mobile-to-ASA computer, using AnyConnect.

I understand AnyConnect requires IKEV2 and certificates.

It allows no password communicated in advance, as the VPN-client.

Is there a way I can build the lab without a certificate?

In practice you can do pretty much everything with SSL VPN (AnyConnect client) you could with IPSec VPN (IPsec legacy or 3rd party client).

You get the advantage of support modern OS (i.e., Windows 8, etc.) and the ability to add many other features (with AnyConnect Premium licenses) and integrate other modules such as NAM and Cloud Web security etc...

Tags: Cisco Security

Similar Questions

  • RemoteAccess VPN to ASA 2 7.2 using self-signed certificate

    Dear friends,

    I need help or guide on how to install as State in the title.

    It is this configuration can be made? or the self-signed certificate cannot be used as VPN certificate.

    Unfortunately, we cannot deploy a dedicated CA server.

    But we cannot use as pre-shared key authentication because the configuration would force our ASA to disable the 'disable isakmp am-' which is unacceptable according to our independent auditor.

    So the best solution I can think of is to use the self-signed certificate that is suitable.

    Please advice me if there is somehow I can use 'isakmp am - disable' as well as the pre-shared key.

    Can I generate certificate using my ASA box? or I really need to use the dedicated CA server to make it work.

    This is a self-signed certificate of ASA, but I can't import into my Cisco VPN Client 5.0 it keep saying "error 39: impossible to import the certificate.

    MIIGpwIBAzCCBmEGCSqGSIb3DQEHAaCCBlIEggZOMIIGSjCCBkYGCSqGSIb3DQEH

    .. .removed

    SdCTfNIaE11Fm + rOMD0wITAJBgUrDgMCGgUABBS6s9ZMs6MoqQ0tdZuKRZuebbE3

    owQU/z10f/Ew3XMfWBYSV5Eo3evqqgwCAgQA

    I will be very very grateful for any help provided.

    Best regards

    SAB

    SAB,

    You must have a separate server from CA to issue certificates for the client and register the ASA on the CA server.

    You cannot use the self-signed certificate on the SAA for the VPN client.

    See you soon,.

    Gilbert

  • ASA SHA2 support with self-signed certificates

    Is it possible to use the signature SHA2 algorithm generating a certificate self-signed on an ASA? I can't find any documentation on orders that have control of things like the signature algorithm when you use self-signed certificates. I have seen documentation SHA2 is supported from 8.4.2 for the signature algorithm, but it always refers to the import of a certificate from an external certification authority.

    Hi William,.

    You can only generate self-signed certificate on the SAA SHA1. The solution is to import a certificate from a 3rd party with signature SHA2 algorithm.

    Here is the value for the same application:-

    ASA support for SHA - 2 for crypto IPsec and operations of the public key infrastructure
    CSCuj67576
    https://Tools.Cisco.com/bugsearch/bug/CSCuj67576/?reffering_site=dumpcr

    Kind regards
    Dinesh Moudgil

    PS Please rate helpful messages.

  • cannot install self-signed certificates sbs2008 on Vista SP2 with IE8

    I use SBS2008 Setup and it is to use self-signed certificates,

    My laptop is Windows Vista SP2 with IE8.

    When I try and connect to my OWA SBS2008 Web site, I get this error: there is a problem with this site's secure certificate.

    I tried to solve my problem with this solution: http://blogs.technet.com/b/sbs/archive/2008/05/08/installing-a-self-signed-certificate-as-a-trusted-root-ca-in-windows-vista.aspx , don't worry! In date; May 8, 2008

    I also looked at: http://support.microsoft.com/default.aspx?scid=kb; EN-US; 932156 , dated; November 19, 2008

    This link is on the page above: download the update for Windows Vista (KB932156) package now. , dated March 24, 2008. I understand that all of the above links are ment to work with Vista & IE7, there is no mention of the Service Pack level.

    This patch really works on Vista SP2 with IE8 or do I have to change the registry and if so, this key is always the right pair?

    HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\ProtectedRoots

    Thank you

    Hello

    Questions like these are much better handled in the TechNet IT Pro Forums.

    My moderator tools cannot transfer messages on Windows forums, please re - ask you question there.

    http://social.technet.Microsoft.com/forums/en-us/itprovistanetworking/threads

  • I have a Proxy Server that uses a self-signed certificate, and I can't accept this certificate from Firefox

    I have Firefox installed 37.0.1 on OpenSuse 13.2. I have a proxy server that uses a self-signed certificate, and I tried to add my certificate to the list of authorities and to check all the option displayed to be wz trust no chance.

    I tried to restart firefox, but it did not help.

    I did the same steps in chrome and it works fine.

    appreciate any help.

    After removing my .mozilla in my home directory. Add the certificate to the list of authorities in fact work.

  • Can I generate self-signed certificates free for Nexus 9 K?

    Hi, I have 22 9Ks Nexus that I just upgraded to 3,0000 I4 so I can use the REST API.

    I use vRealize Orchestrator for automation, and I can't access the REST API on the Orchestrator help link, as certificates are at expiration.

    I can't find much information on this subject for the 9 K, unless the 9Ks are mode of the AIT, in this case I think that TACS are the only people who can generate a certificate.

    Does anyone know otherwise work around this? Otherwise, I'll have to approach a TAC case for 22 certificates generated :-/

    Cheers, Dom

    I'm not familiar with the technology with what you're trying to integrate, but here's a guide on how generate a custom SSC (self-signed Cert) on a device:
    #conf t
    #hostname DEVICE01-NOTE: must not be changed
    #ip - domain test.local

    generate a General key label SSC_KEY module 2048 rsa key #crypto

    #crypto pki trustpoint SSC_LOCAL
    #subject - name, CN = DEVICE, DC = test, DC = local
    #enrollment selfsigned
    # crl revocation checking
    #rsakeypair SSC_KEY 2048

    #crypto ca enroll COMMAND SSC_LOCAL HIDDEN: initiate the creation of SSC

    % Include the serial number of the router in the name of the topic? [Yes/No]: no
    % Include an IP address in the name of the topic? [None]:
    % Generate self signed certificate router? [Yes/No]: Yes

    Router self-signed certificate created successfully

    After this make sure that you do NOT change the host name of the device :)

  • How can I make a self-signed certificate trusted root CA?

    Hi all

    I created a certificate self-signed using IIS 7 and he attributed to my local Web site. Looks like my connection to my local server is encrypted; but the problem is that the indicators of certificate in all browsers are red and read the following error message:
    "The identity of the server to which you are connected can not be fully validated. You are connected to a server using a name that is valid only within your network, which has an external certification authority has no way to validate ownership of. Some certification authorities will issue certificates of these names without worrying, not no way to ensure that you are connected to the expected site and not a pirate. »
    What does this error mean? Why isn't this error get away when I add my certificate in "Authorities roots of trust certificate" in the MMC > certificates? I want to get a green light for my certificate in my browser! Is this possible?
    Thanks in advance.

    There is no way to convert a self-signed certificate in a certificate signed by a root CA.  In addition, simply by adding a certificate in a particular area of the crypto shop does not change its abililties.  The trust root certification authorities certificates must be issued by approved certification.  Add your own cert to the store zone does not trust.

  • Configure SSL for OUD 4444 port Admin port-> replace the self signed certificates used

    Hi Experts,

    When installing OUD choose Certification self-signed for ports 1636 and 4444.

    Later I change the certificates used by the port of 1636 to a new key file containing the CA certificates. (Track the steps of: https://docs.oracle.com/cd/E52734_01/oud/OUDAG/security_clients_severs.htm#OUDAG00050)

    But same procedure does not have to replace the self signed certificates used by ports 4444!  Everyone is configured SSL (with Cert CA) on the Administration port?

    I couldn't even start the servers, you see an error:

    """

    category = gravity CORE = NOTICE msgID = 458891 msg = the directory server sent a notification to alert generated by the class org.opends.server.core.DirectoryServer (org.opends.server.DirectoryServerShutdown alert type, alert ID 458893): the directory server started the shutdown process.  Stop was launched by an instance of the org.opends.server.core.DirectoryServer class and the reason for the closure was an error occurred trying to start the directory server: NullPointerException (File.java:277 AdministrationConnector.java:843 AdministrationConnector.java:675 AdministrationConnector.java:182 ConnectionHandlerConfigManager.java:356 DirectoryServer.java:2932 DirectoryServer.java:1584 DirectoryServer.java:10108)

    «[27/sep / 2015:06:22:53-0400] category = gravity = NOTICE msgID = 458955 msg = the directory server CORE is now stopped "«»

    Post edited by: 1976902

    Sorry, I cannot help here - here are a few possibilities.

    Change connector Administration certificate

    https://docs.Oracle.com/CD/E52668_01/E54669/HTML/ol7-genssc-auth.html

    The failure of the handshake could occur for various reasons:

    • Incompatible encryption suites in use by the client and the server. This would require the customer to use (or allow) a suite of encryption supported by the server.
    • Incompatible versions of SSL in use (the server can only accept TLS v1, while the client is capable of using SSL v3 only).
    • Incomplete trust for the certificate of the server path
    • The certificate is issued to another area.
    • incomplete certificate trust path between the certificate for the server, and a certification authority root.
    • In most cases, this is because the certificate is not present in the trust store

  • Cannot use jar with icon files gif and self signed certificate files (Exception in thread "AWT-EventQueue-3" java.lang.NoClassDefFoundError: oracle/ewt/laf/basic/SelColorChange)

    Hi all.

    I use Forms 11 g 11.1.2.1 and updating JRE 7 45.

    I have create a jar file containing gif icons files using this procedure:

    (1) create the jar file:

    set path = % path %; C:\Oracle\Middleware\Oracle_FRHome1\jdk\bin (my ORACLE_HOME/jdk)

    jar - cvf webfigolos.jar *.gif

    (2) self sign the file:

    c:\Oracle\Middleware\asinst_1\bin > sign_webutil.bat c:\Oracle\Middleware\Oracle_FRHome1\forms\java\webfigoicons.jar

    Jars is signed but with a warning:

    Generate a signature key certificate aaosa2015 = auto...

    keytool error: java.lang.Exception: key pair not generated, al alias < aaosa2015 >

    loan is

    .

    There are errors or warnings while generating a self signed certificate. Pleas

    e revisiting.

    .

    Backup as c: C:\Oracle\Middleware\Oracle_FRHome1\forms\java\webfigoicons.jar

    \Oracle\Middleware\Oracle_FRHome1\forms\java\webfigoicons.jar.old...

    1 file (s) copied.

    Signature using ke c:\Oracle\Middleware\Oracle_FRHome1\forms\java\webfigoicons.jar

    y = aaosa2015...

    .. own made.

    But I can use this file. The application crashes and get this error from the java console:

    network: connection http://myluism-pc:7001/forms/lservlet; jsessionid = p98GTL5Fh6XnQcykySBhLWq2823HwHlPGZ16TYHVv93006N4mmdl!-947562687 with proxy = LIVE

    network: connection http://myluism-PC:7001 / with proxy = LIVE

    Exception in thread "AWT-EventQueue-3" java.lang.NoClassDefFoundError: oracle/ewt/laf/basic/SelColorChange

    at oracle.ewt.laf.oracle.OracleTreeUI.createItemPainter (unknown Source)

    at oracle.ewt.laf.basic.BasicTreeUI._getItemPainter (unknown Source)

    at oracle.ewt.laf.basic.BasicTreeUI.getItemPainter (unknown Source)

    at oracle.ewt.dTree.DTreeBaseItem.getSize (unknown Source)

    at oracle.ewt.dTree.DTree.paintCanvasInterior (unknown Source)

    at oracle.ewt.EwtComponent.paintInterior (unknown Source)

    at oracle.ewt.lwAWT.SharedPainter._paintInterior (unknown Source)

    at oracle.ewt.lwAWT.SharedPainter.paintExtents (unknown Source)

    at oracle.ewt.lwAWT.LWComponent._paintComponent (unknown Source)

    at oracle.ewt.lwAWT.LWComponent.paint (unknown Source)

    at oracle.ewt.EwtComponent.paint (unknown Source)

    at oracle.ewt.lwAWT.SharedPainter.paintExtents (unknown Source)

    at oracle.ewt.lwAWT.LWComponent._paintComponent (unknown Source)

    This used to be a very simple procedure, but it has stopped working...!

    Don't know if the jar file is well born, or if it is corrupt.

    I can't start my application.

    Help, please!

    Best regards, Luis.

    Try again with the JRE 7 10 update, I get a problem with the update of JRE 7 45, but when I tried the update of JRE 7 10, it works fine.

    For the objective test, disable the check

    Java Panel-> advance-> mixed Code-> disable verification (unchecked)

  • Safari no longer works with SSL self-signed certificates?

    With the last Safari (9.0.3) on OS X (running 10.11.3) and iOS (9.2.1) operating system, I can no longer connect to sites that use self-signed SSL certificates. Previously, I was warned that the site certificate was not "valid", but given the opportunity to continue anyway. This is the behavior I want to come back. It still works fine in Chrome, Firefox. but now just Safari gives me an error "Safari can't open the Page" as it would if it could not reach the server. Specifically, it says "Safari can't open the page https://myselfsignedhost.com because Safari is unable to establish a connection to the server myselfsignedhost.com.

    It does not give me the opportunity to inspect the certificate, add the certificate to my keychain, trust the cert, ignore the warning once or anything else that would be useful... He's just pretending like it can't connect. Am I missing something? How to restore old functionality? This 'bug' makes safari completely useless for me.

    OK, some info... This seems to apply only to SOME sites with self signed SSL CERT... The only obvious thing I can think is that maybe it applies to sites where the SSL certificate when the page was first loaded?

    If I open a new window private, I can access the page without problem. If I open a new standard, I can also open the page, until I quit safari. Once I left, it stops loading with the same error...

    If I manually add the SSL certificate to my keychain as being approved, the page also works... There may be a cache of certificate somewhere that is out of date?

  • Create safer self-signed certificates on IOS router?

    I use a router in 1921 and use partially as an AnyConnect (WebVPN) server for remote access in the location.  The certificate I used was a self-signed certificate & trustpoint generated on the router.  I am running as the last IOS available track to ensure that it has all the latest features.

    Do a quick check of SSL against her of Qualys, he seems to have a lot of weaknesses and known vulnerabilities.

    * Poodle TLS

    * TLS 1.0 only

    * SHA1

    * Diffie-Hellman 1024 bits

    * Some algorithms of older encryption which seem to be available (but I've never specified), as TLS RC4_128_MD5

    The encryption mechanism and controls to create the cert don't give me much choice in the matter.

    Is there a new or better way to create a more secure certificate chain on an IOS router?  I couldn't find the instructions anywhere.

    Robert

    Take a look at my guide to private networks virtual Suite-B.  It creates more secure certificates.  Note my comment about the minimum software version to use.

    https://www.IFM.NET.nz/cookbooks/Cisco-IOS-router-IKEv2-AnyConnect-Suite-B-crypto.html

  • ASA5505 IPSEC only with self-signed certificates

    Hi all

    I have little Cisco training and was assigned to a pilot project. We have cleaning of the ASA from another Department, but I do not have access to support. It is running ASA v9.1 and ASDM 7.1. If all goes well I'll be sent on training and we can buy a nice 5520.

    So I scoured the internet for a guide that is easy to do as my title says, but I'm having major trouble. I find a lot of outwardly signed with self-signed SSL VPN or VPN IPSEC with CERT support but I can't only get ASA self-signed IPSEC IKEv2 with certificate authentication. Also, to make it even worse, I have to provide the user with the software, the profile and the certificate in hand. No access to the web or download portal.

    If you know where I can get good installation guide for this type of use please by all means save me here. If this isn't possible, I'm cool with that, let me know.

    Thank you fo any help you can provide

    Jay

    If the ASA uses a certificate issued by a certification authority that is in-store customer trust root CA, then the certificate of identity ASA didn't need to be imported by the customer.

    Which is why it's usually recommend to follow the path of using experienced public CA because they are alreay included in most modern browsers and so the client has no need to know how to import certificates etc.

    If you are using a local certification authority that is not in the store trusted CA of the customer to deliver your ASA certificate or identity certificates on the SAA signing root then you must take additional measures at the level of the customer.

    In the first case, you could import the CA certificate in the store root CA of the client trusted root. After that, all the certificates it has issued (the IE the ASA certificate of identity) would automatically be approved by the customer.

    On the second case, certificate of identity of the SAA is would have installed on the client because it (the ASA) basically as it's own root certification authority. Usually, I install them in the CA store root confidence of my client, but I guess that's technically not necessary, as long as the customer knows to trust this certificate.

  • Generate a DRAC 7 - new self-signed certificate

    Try to generate a new cert self-signed by the DRAC, but keep the size to 2048 bits.

    racadm config-g cfgRacSecurity-o cfgRacSecCsrKeySize 2048

    sslresetcfg restores the cert to 1024...

    racadm sslresetcfg

    Counsel on how to obtain a self-signed certificate 2048?

    iDRAC 7 2.10.10.10 Firmware go iDRAC have by default with 2048-bit certificate. You can update iDRAC to 2.10.10.10 and run the command "racadm sslresetcfg" to load the default certificate of 2.10.10.10 firmware.

    iDRAC7 2.10.10.10 Firmware is available @ http://www.dell.com/support/home/us/en/19/Drivers/DriversDetails?driverId=Y5K20&fileId=3445456701&osCode=NAA&productCode=poweredge-r820&languageCode=EN&categoryId=LC

  • QNXStageWebView and self-signed certificates

    I use the QNXStageWebView control to load HTML pages in my AIR application. I'm testing with OS version 1.0.7.3133 and version 2.7 AIR and Tablet OS SDK 1.1.0.  When I use https and try to access a web site that uses a self-signed certificate (which is not approved on the device), the object of QNXStageWebView does not throw error events. How can I detect that the user tries to access a unreliable website and warn (as the native browser)? I saw the newspapers of Wireshark and I see an error "the handshake failed".

    Hello Kiran,

    After further investigation, the dialog box for the certificate that is popped up by the WebKit is made under the covers. The issue which is seen is actually a bug in sdk. However the bug has been fixed and the fix will be available in the next version of the blackberry Tablet sdk.

    Let me know if you have any questions, and I'll be happy to answer them for you.

  • DELETE A SELF-SIGNED CERTIFICATE

    Hi all

    We have just finished testing a new configuration on an ASA 5510 to connect no matter what. During testing, we used a self-signed certificate, but I now want to install a full certificate from a certification authority. The question is what is the best way to remove the old free generated certificate so we did not all conflicts during the installation of the new certificate?

    We are looking to Go Daddy SSL certificate, someone at - it other recommendations?

    Thank you

    1. The certificate (or more accurate: the trustpoint) is assigned to the interface. If you configure a new trustpoint to your new certificate and assign this trustpoint to your external interface, then nothing is in conflict. If you want to you can always use your certificate self-signed for the inside interface. But of course you can also remove it.
    2. There are so many cases that you can choose from. Some clients use me Entrust, other Thawte. I got mine from StartSSL. It's your choice. It's more about the cost and reputation.

Maybe you are looking for