Certificate for VPN 3030

Similar Questions

• Ask/dissemination of certificates for IPSEC VPN user

  Hi all

  I have therefore an ASA established the connection to an LDAP, an SSL certificate signed for the cert of the device and use IPSEC IKEv2 VPN connections that are authenticated by the LDAP username and password and X.509 certificates.

  I have a CA server root of Microsoft Windows server 2012 (State in offline mode) and a Windows server 2012 subordinate certification authority server. Both are 10-year Certification authorities.

  To generate certificates VPN I'm going to the AC Sub, go to certificates (local computer) > personal > right click on the white space > all tasks > advanced operations > ask personalized.

  I have set up my cert accordingly and enable private key export.

  I submit new request to the CERT service. authority on the CA of Sub (same machine as before). I issue the certificate, and then export the certificate with the private key. I send this to my user, then they install this certificate in the personal certificates store and access the VPN access using this cert more username and password they have been assigned (no there is no possibility for them to ask their own PC)

  Question 1: Is there an easier way to do this? Command line? Script? preconfigured with the certificate settings .ini file?

  Question 2: These certificates are only 1 year. How can I generate certificates that are longer than that. I'm jumping for 3 years.

  Thank you!

  BROKEN

  Well it's quite simple setup-wise when you chose to go down the path of the client certificate. It is generally easier to use SCEP (Simple Certificate Enrollment Protocol) Protocol to manually deploy certificates. There is an example of a configuration Definition here.

  There is also a good presentation (or several) of Cisco Live. I recommend that you take a look at this one from 2012: Practice of PKI for VPN.

  In this presentation, he you (slide 39) specifically shows how to create a new certificate template and set the validity period for the value by default 1 years.

• Type of certificate for ASA VPN IPSEC

  Hi all

  I'm looking to set up an IPSec VPN connection that will authenticate users by certificate only. I configured everything successfully with the local AAA login, but seeks to convert a signed certificate and generate certificates user for users that are not part of a company or Active Directory.

  So here's my question. What kind of certificate I buy (lets say VeriSign aka Symantec)? And if I want to only use this certificate for my VPN and its customers, can I install it on the Cisco ASA and generate user certificates, or should I set up a Windows Server with CA and create all the certificates on this machine?

  My goal is to install the agent AnyConnect 3.1.x on laptop computer of the user, install the certificate user myself. No webVPN or on behalf of the user. I tried the local certification authority in the ASA in a dev environment, but have had no luck so I thought I'd just signed good immediately.

  Thanks in advance,

  BROKEN

  > Do you think I should have a 3rd party signed certificate

  If the VPN is not only used for internal staff, and then always opt for a public certificate. If you ask other users to install your root certificate, you ask them to allow you to be a man in the Middle for all their traffic. It's nothing that needs to be done.

  Registration is generally just to configure the trustpoint and install the certificate. It is very likely that the certification authority uses an intermediate certification authority, so you should install that also. (even keep the AC have howtos on various platforms).

  > I'm still learning here so I apologize if my questions seem to be amateur.

  And be assured, learning never stop... :-)

• Impossible to get WebVPN working on chassis VPN 3030

  This v4.1.7P chassis works perfectly for our installation of the client vpn Cisco, no problem. We have decided to extend its usefulness by turning on and configuring WebVPN.

  I did it on a router IOS, Cisco 1841, works very well, so I'm following the same basic procedure to activate it on our vpn 3030.

  But when trying to connect to the vpn 3030 to the public interface of an internet ISP, I even don't get a login window, error, same no nothing. Finally the browser times out and stops.

  I did all the usual steps to enable WebVPN, yet nothing seems to work. I can't admin the box fine internally via https, so I know that work self-signed certificates.

  Any ideas where the attack of this of?

  Thanks, Jeff

  Hi Jeff,

  Try to upgrade to 4.7.x

  This generation of OS is fully operational with WebVPN.

  Check http://cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_example09186a008055641a.shtml

  You can ignore the Client SSL part and troubleshoot why didn't not now works for your environment.

  For a complete list of commands/options check:

  http://Cisco.com/en/us/products/HW/vpndevc/ps2284/products_configuration_guide_book09186a00801f1c6d.html

  Please rate if this helped.

  Kind regards

  Daniel

• VPN 3030 - balancing problem

  Hi all

  I had set up on VPN 3030 of load balancing. On it, he had a few problems. Firstly, 3030 high school has more RAM (512) that the primary (128). The secondary was purchased just a month back with 512 M RAM and latest OS 4.1.7.

  (1) land of redirected to the secondary hub, after active LB normal VPN clients. There are more than 10-15 connections that landed on the secondary and none landed on the primary. I understand that this is because the captain now less connections... is that good? But why is there not all connections on the master?

  (2) web VPN didn't work that well with load balancing enabled. HTTPS protocol and the virtual IP address does not work. When tried with the physical separately IPs, it works, but not with the virtual IP address. port 443 opens not with the virtual IP address. Why is this? can I configure something else for this?

  I also noticed that once you activate load balancing, redirection is done directly on physical IP addresses, which means that end users will know the physical IP addresses and connect directly if they need. Why is this? can someone shed light on this?

  REDA

  To answer one of your questions, I think that primary will have connections only when the secondary a number of minimum connections...

• IOS VPN 3030

  Hello group,

  I have a small request. I have a VPN 3030 hub, which has installed in IOS 4.1.5. I do not have the 4.1.5 image right now with me and is available for download in cisco. I need this image to another customer. Can I download the 4.1.5 IOS image from the hub? I had seen the tftp option, but it doesn't seem to work.

  Kind regards

  REDA

  You will need to open a TAC case and they can provide it for you. Unfortunately you cannot not TFTP image off the hub.

• Certificate SSL VPN

  Hi all

  I have configured the SSL vpn client and the client less ssl vpn, but I am not able to connect cisco vpn client softrware and also browser, because of certificate problem, can you please tell how to create the certificate SSL VPN

  Thanks and greetings

  Rajesh Gowda

  Sign up for a certificate from a public certification authority and use the FQDN to connect to the VPN. Then these warnings should not appear.

• ASA - several IPS for VPN

  I'll put up Anyconnect to replace our customers of Cisco IPsec VPN, since it is end of life. A part of the process is to get an SSL certificate and a FULL domain name to use for this. I've got that and it is applied to the ASA very well. Now we don't get these warnings to the subject it is not not sure and such.

  The problem is that we use a non-standard port for the SSL VPN from 443 is already sent to an internal device. I have unused public addresses to the external interface of the ASA, but I don't know how I could use them. I would like to have a different IP address for SSL VPN, so I don't have to mess with the port forward that is currently in place. I read on proxy arp, but that looks like it could be a problem. I could have someone connect another cable to a different interface on the ASA (5512-X) and assign this static interface I want for the VPN, but I'm not sure it will work well. We have connections VPN site to site in place as well. Can I have the ASA listening on two different interfaces at the same time?

  Recap:

  IP 1 - address primary NAT, Site at tunnels put end here, some Cisco IPsec VPN terminate customer

  IP 2 - want to have all customers of Anyconnect connect here, to migrate all legacy Cissco IPsec clients until they are all over Anyconnect.

  Key is that I can not stop listening on IP 1 for site-to-site connections.

  Thoughts?

  Thank you!

  On the SAA, you cannot use the additional IPS for VPN.

  If tcp/443 is already used for an external server, then I would reconfigure the DNS entry for it to use the second IP address that must be sent to the internal server. You can then use the IP interface of the ASA for AnyConnect.

• Can I block the user to connect to the VPN 3030 by type of customer or version?

  I would like to block some users who use to connect to our VPN 3030 client Win98 or very old version of VPN client.

  Is there a way to set up my VPN 3030 so I can block customers? I don't want to push new customer for them or that you don't have a server radius or something like that to put them on an isolated network independent.

  I want to configure VPN 3030, is it possible?

  Thank you.

  Jayesh,

  Reach:

  Configuration | User management | Groups

  Go to the specific group and click on modify.

  On the IPSec tab, you will see a section for:

  Customer type & Version limiting

  For example:

  p *: 4.7*

  This will allow the version 4.7 of customers.

  See you soon

  Gilbert

  Write it down, if it can help

• MIB for VPN concentrator

  I'm trying to locate the MIBs for a concentrator VPN 3030, specifically maximum connections.

  Thank you

  Hello:

  All 3K MIBs are located at:

  FTP://FTP.Cisco.com/pub/MIBs/supportlists/vpn3000/vpn3000-supportlist.html

  Hope that helps

  Jean Marc

• ASA 8.4.3 install the certificate for webvpn without CSR

  Hi guys,.

  I have spent a lot of time trying to install our wildcard certificate in the ASA for use with anyconnect, but was not permanently misserably. I red a lot of messages, but don't really know what I'm doing.

  Our Web server, I got DigiCertCA.crt, star.mycompany.com_cert.pem and star.mycompany.com_key.pem. The certificate is a certificate wildcard for mycompany.com.

  The DigiCertCA.crt file is the certificate called "DigiCert High Assurance CA-3" on the Web site: https://www.digicert.com/digicert-root-certificates.htm
  with the series "0A5F114D035B179117D2EFD4038C3F3B".

  On the SAA, I checked that I have no present trustpoint. Orders: "sh ca crypto certificates" and "sh crypto ca trustpoints" give no output.

  OK, so lets get started to set up and are having problems:

  ASA (config) # crypto ca trustpoint star.mycompany.com

  Domain name full webvpn.mycompany.com ASA(config-ca-Trustpoint) #.

  ASA(config-ca-Trustpoint) # Terminal registration

  ASA(config-ca-Trustpoint) #-revocation checking no

  Output ASA(config-ca-Trustpoint) #.

  Authenticate the crypto ca ASA (config) # star.mycompany.com

  Enter the base-64 encoded certificate authority.

  End with the word "quit" on a line by itself

  -BEGIN CERTIFICATE-

  # CONTENT DigiCertCA.crt #.

  -CERTIFICATE OF END-

  quit smoking

  INFO: Certificate has the following attributes:

  Fingerprint: c68b9930 c8578d41 6f8c094e 6adb0c90

  Do you accept this certificate? [Yes/No]: Yes

  Trustpoint "star.mycompany.com" is a subordinate certification authority and is a non self-signed certificate.

  Certificate of the CA Trustpoint accepted.

  % Certificate imported successfully

  ASA (config) # crypto ca certificate star.mycompany.com import

  ATTENTION: Registration certificate is configured with a complete domain name

  that differs from the fqdn of the system. If this certificate will be

  used for VPN authentication, this can cause connection problems.

  You want to continue with this registration? [Yes/No]: Yes

  % The FQDN in the certificate name will be: webvpn.mycompany.com

  Enter the base 64 encoded certificate.

  End with the word "quit" on a line by itself

  -BEGIN CERTIFICATE-

  # CONTENT star.mycompany.com_cert.pem #.

  -CERTIFICATE OF END-

  quit smoking

  Could not import the certificate-

  Certificate contains a general practitioner of the device public key

  for point star.mycompany.com trust

  ERROR: Cannot analyse or check the imported certificate

  ASA (config) #.

  Please help me! I'm not a guru with certificates.

  Kind regards

  Tom van Leeuwen

  Tom,

  you create a container PKCS12 which includes certificates, and CA key.

  I don't know how to do with linux, no idea with Windows

  Michael

  Please note all useful posts

• Authentication of the certificate SSL VPN

  Hello

  I change SSL VPN of aaa aaa authentication and CERT, Server 08 CA, 8.2 ASA 5510 ssl client 2.5.1025 and Windows 7 users. My question is what should be the model for the cert id I get from CA.

  Thank you

  Marie Laure

  You can use a web server for the certificate for the ASA model.

  Thank you

  Tarik Admani
  * Please note the useful messages *.

• VPN 3030 load balancing

  Hi all

  Asked me to configure the load balancing between two hub Cisco VPN (Cisco VPN 3030).

  I set up two such boxes mentioned in the cisco Web site

  [url] https://www.Cisco.com/en/us/products/HW/vpndevc/ps2284/products_tech_note09186a0080094b4a.shtml [url]

  After you enable VPN load balancing, I get the error described for 30 seconds.

  Quote:

  Master double detected LBSSF [0003a 0889463] and going to SLAVE

  One of my friends said me that try with encryption active but not different.

  I searched in google but did not get any solution. I am now hlepless. If any of you guys have met this kind of problem before could you please help to solve this problem...

  Thank you

  Please set each device to have different priorities and then charge two devices.

  If this does not work then you can confirm your settings of the VCA have been properly configured and applied to the public interface? The following links provide more details on how to configure filters VCA:

  https://www.Cisco.com/en/us/products/HW/vpndevc/ps2284/products_tech_note09186a0080094b4a.shtml#C2

  Kind regards
  ATRI

• My Firefox 15.0.1 cannot check all CA of SSL, it is said: "Cound not verify certificate for unknown reasons" when I find out the status of the certificate.

  Recently, I went to Windows 8 (from 7) and installed Firefox 15.0.1. Whenever I try to access a page secure HTTP I get a message that "this connection is untrusted. If I click on add exception and display the status of certificate I get the following message every time: "Cound not verify certificate for unknown reasons."

  I checked these sites in other browsers and they work fine. I also checked the certificates using this site: http://www.networking4all.com/en/support/tools/site+check/

  I tried to start firefox in compatibility mode of as and when that didn't help, I reinstalled it but nothing is changed. I use chrome for now but I hope that's not the only solution.

  What security (firewall, antivirus) software do you have?

  Some firewalls monitor secure connections (https) and send their own certificate instead of the certificate of the Web site.

  You can retrieve the certificate and check details such as WHO issued the certificates and the expiration dates of certificates.

  • Click on the link at the bottom of the error page: "I understand the risks".

  Let Firefox recover the certificate: "Add Exception"-> "get certificate".

  • Click on the "view..." button. "and inspect the certificate and the Coachman, who is the sender.

  You can see more details like the intermediate certificates that are used in the details pane.

• Two SMIME certificates for a contact. Only working

  I have contact (call her Kim). She has two email addresses:

  Kim (at) gmail.com

  Kim (at) yahoo.com

  I created two SMIME certificates for it - and got her to send me the cert appropriate using each email address. I used these emails to load the certificates on my Mac and iPad. However, Mac Mail, I can only send using SMIME when I use kim (at) gmail.com. If I choose another e-mail address - kim (at) yahoo.com, turns it off lock icon and the e-mail is sent "in the clear".

  If I look at the details in the Contacts, I can see his two addresses, and each has a star/checkmark beside it to indicate that the cert SMIME is available. I click on the star, and I see that each certificate is self-signed and "marked as approved for the < email address >." Looking in Keychain Access, I can see the two certificates, and do a get info on the two I can see that they are absolutely identical, with the exception of the email (and, of course, the key data).

  I know SMIME working - I use it a lot for work and it works if I send an e-mail to kim (at) gmail.com.

  Notes:

  1. I don't think this is a limitation of the capable SMIME email by contact address. I tried to make a double contact with an e-mail address by contact. It still does not work.
  2. I checked the email addresses - they both correspond exactly to what is in the cert.
  3. On my iPad, it works perfectly. I can send e-mail to kim (at) gmail.com and kim (at) yahoo.com and they get properly encrypted. It seems that there is a problem with the Mac only. I loaded the CERT of the enamel, exactly as I did for the Mac.

  BTW - I'm on the latest version of everything - OS, applications etc. I'm a compulsive updater :-).

  Ping! No one sees it?

  It is true that its probably rare - SMIME and two email addresses.

  I'm crossing my fingers :-)