Create the Ipsec tunnel using digital certificates

Similar Questions

• How to match tunnel-group with auth ASA 8.2 and IPSec VPN Client using digital certificates with Microsoft CA

  Hello

  I set up a lab for RA VPN with a version of the ASA5510 8.2 and VPN Client 5 software using digital certificates with Microsoft CA on a Windows 2003 server. I did the configuration based on this document from Cisco's Web site:

  http://www.Cisco.com/en/us/partner/products/ps6120/products_configuration_example09186a0080930f21.shtml

  Now, the vpn works fine, but now I need to configure a tunnel-different groups so I can provide different services to different users. The problem I have now is that I don't know how to set it up for the certificate is the name of tunnel-group. If I do an ASA debug crypto isakmp I get this error message:

  % ASA-713906 7: IP = 165.98.139.12, trying to find the group through OR...
  % 3 ASA-713020: IP = 165.98.139.12, no group found by matching well payload ID: unknown
  % ASA-713906 7: IP = 165.98.139.12, trying to find the group via IKE ID...
  % 3 ASA-713020: IP = 165.98.139.12, no group found by matching well payload ID: unknown
  % ASA-713906 7: IP = 165.98.139.12, trying to find the group via IP ADDR...
  % ASA-713906 7: IP = 165.98.139.12, trying to find the group using default group...
  % ASA-713906 7: IP = 165.98.139.12, connection landed on tunnel_group DefaultRAGroup

  So, basically, when using certificates I connect always VPN RA only with the group default DefaultRAGroup. Do I have to use a model of different web registration for application for a certificate instead of the user model? How can I determine the OU on the user certificate so that match tunnel-group?

  Please help me!

  Kind regards

  Fernando Aguirre

  You can use the group certificate mapping feature to map to a specific group.

  This is the configuration for your reference guide:

  http://www.Cisco.com/en/us/partner/docs/security/ASA/asa82/configuration/guide/IKE.html#wp1053978

  And here is the command for "map of crypto ca certificate": reference

  http://www.Cisco.com/en/us/docs/security/ASA/asa80/command/reference/C5.html#wp2186685

  Hope that helps.

• Can I use private as Source IPs from a remote network IP addresses while building the IPSec tunnel?

  Can I use private as Source IPs from a remote network IP addresses while building the IPSec tunnel? If not why? If so, how?

  Your explanation is much appreciated.

  Hi Deepak,

  In such a situation, you usually NAT traffic that goes to the internet, but exempt traffic that goes through the VPN, because it will be wrapped in packages with public IP (tunnel) addresses. You can use the same IP address on your interface in the face of internet for the NAT/PAT and source of IPSEC Tunnel.

• create the new file using report generation express vi

  Hello

  In my application, I need to write that certain data in spreadsheet Excel. For whom I created an excel template and I used the express vi report generation Toolkit to record appropriate data in the columns of the place. I need a new file created every day by the name of the day and write the data that he rest of the day. I have problems, create the new file using this express vi. I tried to use the low level vi but not able to make properly.

  Join my code and the excel template.

  Help, please.

  Thank you!

  I suspect that your problem is illegal characters (' / ') in your path, certainly it is the case in your original vi. You need to format your path, something like this (underscore instead of a slash stroke):

  

• How to create the user account using the command?

  How to create the user account using the command?

  Open cmd as administrator, and then type the following commands one after the other

  NET user / add program mypassword
  net localgroup administrators program / add
  net share concfg * C:------/ grant: program, complete
  This will create a user account with the name "Program" and the password "MonMotpasse".

  You can create the user name and password of your choice.

• Create the user by using the service of SPML in OIM 11 g

  Hello
  
  I write client java to create the IOM user using the web service.
  
  Code:
  
  private final static QName SERVICE_NAME = (QName) new
  "http://xmlns.oracle.com/idm/identity/webservice/SPMLService,"
  "SPMLService");
  
  WsdlURL URL = new URL ("http://OIM_HOST:POPRT / spml-xsd/SPMLService?") WSDL");
  SPMLService ss = new SPMLService (wsdlURL, service_name);
  SPMLRequestPortType port = ss.getSPMLServiceProviderSoap ();
  ServiceHeader ServiceHeaderType = new ServiceHeaderType();
  
  Map of ctx = (port) .getRequestContext ((BindingProvider)).
  CTX.put ("ws - security.username", "xelsysadm");
  CTX.put ("ws - security.password", "passwordforoimuser");
  
  When executing code, I get an exception:
  
  javax.xml.ws.soap.SOAPFaultException: InvalidSecurity: error in the treatment of the security WS-Security header
  at com.sun.xml.internal.ws.fault.SOAP11Fault.getProtocolException(SOAP11Fault.java:171)
  at com.sun.xml.internal.ws.fault.SOAPFaultBuilder.createException(SOAPFaultBuilder.java:94)
  at com.sun.xml.internal.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:240)
  at com.sun.xml.internal.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:210)
  at com.sun.xml.internal.ws.client.sei.SEIStub.invoke(SEIStub.java:103)
  to $Proxy39.spmlSuggestUsernameRequest (Unknown Source)
  
  Please provide any pointer.
  
  Thank you.

  Use the wsimport command

  Published by: 902889 on December 18, 2011 21:38

• create the policy by using the API of the IOM: tcAPIException:insert exception failed

  Hello
  
  I need to create the policy by using the API of the IOM.
  
  Here is my code:
  
  long [] provObjKeys is {10};.
  Boolean [] revokeObjectIfNotApply = {true};
  long [] denyObjKeys is {11};.
  long [] groupKeys is {6};.
  tcAccessPolicyOperationsIntf accessPolicyOp = (tcAccessPolicyOperationsIntf) ioUtilityFactory.getUtility ("Thor.API.Operations.tcAccessPolicyOperationsIntf");
  
  HashMap policyCriteriaMap = new HashMap();
  policyCriteriaMap.put ("Access Policies.Name", "computer laptop Access Policy");
  policyCriteriaMap.put ("Access Policies.Description", "computer laptop access political Desc");
  policyCriteriaMap.put ("Access Policies.Note", "computer laptop Access Policy Note");
  policyCriteriaMap.put ('Access Policies.Retrofit Flag', ' yes');
  policyCriteriaMap.put ("Access Policies.By Request", "No");
  
  long accessPolicyKey = accessPolicyOp.createAccessPolicy (policyCriteriaMap, provObjKeys, revokeObjectIfNotApply, denyObjKeys, groupKeys);
  
  but the political establishment fails.
  
  Not able to discover the problem.

  policyCriteriaMap.put ("Access Policies.Retrofit Flag", "1");
  policyCriteriaMap.put ("Policies.By application access","0");

• Create the remote database using dblink view

  Hello
  
  I have a small question for you.
  
  Is it possible to create the remote database using dblink view? Following syntax error
  
  create discover ViewName@DbLinkDame (ColumnName) as
  (select 1 double)
  
  "ORA-00905: lack of keyword.
  
  Is this possible at all?
  And particularly - is this possible when the remote database is MSSQL and I use heterogeneous services?
  
  I really appreciate your help
  Best regards
  Wojtek
  
  Published by: wojpik on October 21, 2009 03:59

  This is a workaround for a remote Oracle database (use the queue of work), however:

  http://asktom.Oracle.com/pls/asktom/f?p=100:11:0:P11_QUESTION_ID:597877500346143250

  but I have no idea if something similar is possible for MSSQL...

• How can I know the FULL domain name & names for the installation of a digital certificate Public in ISE?

  We are implemented a project with Cisco ISE; but comments Portal appears to users as a "untrusted site". For problems, a public digital certificate must be installed in Cisco ISE, so he can send it to users who enter the comments Web portal.

  Now... to sell me the certificate, VERISIGN needs to know settings ISE of the certificate, such as name of area COMPLETE, names subnames, etc... How can these parameters of ISE?

  Thaks a lot!

  This isn't an easy question to answer, there are a ton of variables to include

  Local web site Central Web Auth or Auth

  LWA, the WLC is the "man in the Middle" to the request of the customer for PSN (server nodes), the WLC takes the request webauth and resembles webauth then the redirect URL that you put in the WLC

  If the redirect webauth URL is https://ise01.mycompany.com:8443/guestportal/login.action, the WLC is a redirect but the virtual IP address comes in 1.1.1.1, who was as trustworthy or redirection complains, then you may have to get the public certificate for the fqdn of 1.1.1.1, and the comment server. You can create a CSR using openssl or you can just enter in ISE and create a CSR, but you can only set CN = ise01.mycompany.com and nothing else, as long you have a single NHP is good, but if you have several Ssnp, you need to change your CSR so that you have to use openssl to create CSR using a file openssl.cnf and then with openssl, you do the following:

  openssl req - new - nodes-out openssl.cnf omf-01 - ise04.csr - config

  You must do it the way I said above regardless of CWA or LWA, if you have more than one PSN, you must point to a FULL VIP domain name and then configure your DNS to answer for these host names. With LWA, you get virtual IP WLC involved 1.1.1.1, so you don't have to worry about getting a certificate for this, it is a cleaner installation, but you must always do all the rest. It must ensure that users of your guests have the opportunity to join the portal comments and be able to solve the given DNS the dns server that they have been configured with.

  Content of the file openssl.cnf:

  [req]
  nom_distinctif = req_distinguished_name
  req_extensions = v3_req
  default_bits = 2048

  [req_distinguished_name]
  countryName = name of the country (2-letter codes)
  countryName_default = en
  localityName = name of the locality (for example, City)
  organizationalUnitName = organizational unit name (for example, section)
  commonName = Common Name (eg, YOUR name)
  commonName_max = 64
  emailAddress = Email address
  emailAddress_max = 40

  [v3_req]
  keyUsage = keyEncipherment, dataEncipherment
  extendedKeyUsage = AutClient, serverAuth
  subjectAltName = @alt_names

  [alt_names]
  DNS.1 = guest.mycompany.com
  DNS.2 = guest.mycompany.com
  DNS.3 = ise01.mycompany.com

• DROP in flow of the IPSec tunnel

  Hello

  I am trying to use a VPN, who worked on one connection ASA months on ASA9.1 (2). I've updated to ASA9.1 11 (6) and it has stopped working.

  This is the remote ASA5505s making an IPSEC connection-a network head 5520. I can ride preceding and following 2 and 11 9.1 9.1 (6) and while the configuration does not change, the VPN starts working on 9.1 2

  Vpn connects, but there is no packets sent or received...

  I get this packet tracer...

  Output of the command: "packet - trace entry tcp teeessyou 192.168.190.2 5000 192.168.195.1 detail 80.

  Phase: 1
  Type: ACCESS-LIST
  Subtype:
  Result: ALLOW
  Config:
  Implicit rule
  Additional information:
  Direct flow from returns search rule:
  ID = 0xae1308e8, priority = 1, domain = allowed, deny = false
  hits = 622, user_data = 0 x 0, cs_id = 0 x 0, l3_type = 0 x 8
  Mac SRC = 0000.0000.0000, mask is 0000.0000.0000
  DST = 0000.0000.0000 Mac, mask is 0100.0000.0000
  input_ifc = teeessyou, output_ifc = any

  Phase: 2
  Type: UN - NAT
  Subtype: static
  Result: ALLOW
  Config:
  NAT (teeessyou, outside) static source all all static destination teeessyou_ENCODERS teeessyou_ENCODERS
  Additional information:
  NAT divert on exit to the outside interface
  Untranslate 192.168.195.1/80 to 192.168.195.1/80

  Phase: 3
  Type: ACCESS-LIST
  Subtype: Journal
  Result: ALLOW
  Config:
  Access-group teeessyou_access_in in the teeessyou interface
  teeessyou_access_in of access allowed any ip an extended list
  Additional information:
  Direct flow from returns search rule:
  ID = 0xae24d310, priority = 13, area = allowed, deny = false
  hits = 622, user_data is 0xab6b23c0, cs_id = 0 x 0, use_real_addr, flags = 0 x 0 = 0 protocol
  IP/ID=0.0.0.0 SRC, mask = 0.0.0.0, port = 0, = 0 tag
  IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, tag = 0, dscp = 0 x 0
  input_ifc = teeessyou, output_ifc = any

  Phase: 4
  Type: NAT
  Subtype:
  Result: ALLOW
  Config:
  NAT (teeessyou, outside) static source all all static destination teeessyou_ENCODERS teeessyou_ENCODERS
  Additional information:
  Definition of static 192.168.190.2/5000 to 192.168.190.2/5000
  Direct flow from returns search rule:
  ID = 0xae1ea5a8, priority = 6, area = nat, deny = false
  hits = 622, user_data is 0xae1e9c58, cs_id = 0 x 0, flags = 0 x 0 = 0 protocol
  IP/ID=0.0.0.0 SRC, mask = 0.0.0.0, port = 0, = 0 tag
  IP/ID=192.168.192.0 DST, mask is 255.255.224.0, port = 0, tag = 0, dscp = 0 x 0
  input_ifc = teeessyou, output_ifc = external

  Phase: 5
  Type: NAT
  Subtype: volatile
  Result: ALLOW
  Config:
  Additional information:
  Direct flow from returns search rule:
  ID = 0xa9678858, priority = 1, domain = nat-volatile, deny = true
  hits = 105, user_data = 0 x 0, cs_id = 0 x 0, reverse, use_real_addr, flags = 0 x 0, Protocol = 6
  IP/ID=0.0.0.0 SRC, mask = 0.0.0.0, port = 0, = 0 tag
  IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, tag = 0, dscp = 0 x 0
  input_ifc = none, output_ifc = any

  Phase: 6
  Type: IP-OPTIONS
  Subtype:
  Result: ALLOW
  Config:
  Additional information:
  Direct flow from returns search rule:
  ID = 0xae136910, priority = 0, sector = inspect-ip-options, deny = true
  hits = 622, user_data = 0 x 0, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol
  IP/ID=0.0.0.0 SRC, mask = 0.0.0.0, port = 0, = 0 tag
  IP/ID=0.0.0.0 DST, mask is 0.0.0.0, port = 0, tag = 0, dscp = 0 x 0
  input_ifc = teeessyou, output_ifc = any

  Phase: 7
  Type: VPN
  Subtype: encrypt
  Result: ALLOW
  Config:
  Additional information:
  Direct flow from returns search rule:
  ID = 0xaeec4328, priority = 70, domain = encrypt, deny = false
  hits = 65, user_data is 0xb7dc, cs_id = 0 x 0, reverse, flags = 0 x 0 = 0 protocol
  IP/ID=0.0.0.0 SRC, mask = 0.0.0.0, port = 0, = 0 tag
  IP/ID=192.168.195.0 DST, mask is 255.255.255.0, port = 0, tag = 0, dscp = 0 x 0
  input_ifc = none, output_ifc = external

  Phase: 8
  Type: NAT
  Subtype: rpf check
  Result: ALLOW
  Config:
  NAT (teeessyou, outside) static source all all static destination teeessyou_ENCODERS teeessyou_ENCODERS
  Additional information:
  Direct flow from returns search rule:
  ID = 0xae1eae48, priority = 6, area = nat-reversed, deny = false
  hits = 129, user_data is 0xae1e9d10, cs_id = 0 x 0, use_real_addr, flags = 0 x 0 = 0 protocol
  IP/ID=0.0.0.0 SRC, mask = 0.0.0.0, port = 0, = 0 tag
  IP/ID=192.168.192.0 DST, mask is 255.255.224.0, port = 0, tag = 0, dscp = 0 x 0
  input_ifc = teeessyou, output_ifc = external

  Phase: 9
  Type: VPN
  Subtype: ipsec-tunnel-flow
  Result: DECLINE
  Config:
  Additional information:
  Reverse flow from returns search rule:
  ID = 0xaea9f6b0, priority = 69 = ipsec-tunnel-flow area, deny = false
  hits = 129, user_data = 0 x 0, cs_id = 0xaea999c0, reverse, flags = 0 x 0 = 0 protocol
  IP/ID=192.168.192.0 SRC, mask = 255.255.224.0, port = 0, = 0 tag
  IP/ID=192.168.190.0 DST, mask is 255.255.255.0, port = 0, tag = 0, dscp = 0 x 0
  input_ifc = out, output_ifc = any

  Hello Spencerallsop,

  I recommend to add the keyword "no-proxy-arp" the end of the NAT statement, so the ASA try to answer queries ARP for the traffic(VPN interesting traffic), also this last phase 9 usually shows ignored due to a filter VPN defined in sometimes group policy, make sure you have not a filter VPN in a group policy that affect this tunnel then you will need to do the following:

  1. remove the NAT statement:

  -no nat (teeessyou, outside) static source all all static destination teeessyou_ENCODERS teeessyou_ENCODERS

  2 fix the NAT statement with the keyword "No.-proxy-arp" :

  -nat (teeessyou, outside) static source any any destination static teeessyou_ENCODERS teeessyou_ENCODERS non-proxy-arp

  3 disable the VPN ISA SA:

  -claire crypto ikev1 his

  4. run the packet tracer to check that the L2L has developed,

  To be honest I wouldn't recommend move you to 9.1.7 since it has some problems with the ARP entries, and it affects AnyConnect SSL somehow, which is still under investigation.

  In fact, this bug affects 9.1.7 (may affect your environment):

  - https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuy28710

  Please don't forget to rate and score as of this post, keep me posted!

  Kind regards

  David Castro,

• Help: Adding to the IPsec Tunnel encryption field Questions

  Good evening everyone,

  I'm looking for help and/or advise in what concerns adding more networking in the field of encryption of an existing IPsec site-to-site tunnel.  Both sides of the tunnel are of ASA.  The client on the remote end is eager to access the networks more on my end.  They have already updated their ACL crypto map to include the new networks.  When they perform "show crypto IPsec his counterpart x.x.x.x" it shows already encap packets attempting to join my network.

  On my side, I updated my ACL crypto map to reference the new 2 networks, created the double NAT and added the ACL needed to allow the inbound access through ports they want.  When I perform a 'see the crypto IPsec his counterpart x.x.x.x' output is NOT up-to-date with the new networks added to the field of encryption.  When I run a tracer of package of supply of one of the servers in the new network, the traffic is translated as he should, but a fall when it hits the outgoing interface for the VPN tunnel.

  Am I missing something here? Can I bounce the tunnel so that the new networks must be recognized in the surveillance society?

  Thanks in advance.

  Hello

  You must bounce the tunnel when you change the interesting traffic, otherwise the new SA will not be created, is a little funny that you say that SA is already build on the remote side, SA cannot be established only on one side, is like building a new tunnel, if you don't have it on one side, it can not simply prevail and create the entry of SA. In addition, adding new networks and bounce the tunnel you need to generate traffic to trigger the ITS new or you will never see that it created. Check your no nats and routing and it should work.

  Best regards, please rate.

• Outgoing PAT to the IPSec Tunnel

  Hello

  Situation is with range of IP private tunnel of 3rd party who already uses the same private beach, but not with any of the hosts that we need to connect to. All traffic from the office to the 3rd party must be secure.

  We want to configure an IPSec tunnel between the two sites (easy) and then use PAT on the PIX Office (6.3 (5)) to make all traffic office appear to be a single private address different.

  We tried to do with PDM, but it insists on having no NAT (with an exclusionary rule), or static NAT, but does not seem to allow Pat.

  I have attached a copy sanitized the office configuration. Any standard room in PIX have been removed for brevity

  I would like constructive guidance on where I'm wrong.

  See you soon

  Hello

  The PIX / ASA will make the NAT translation on the steps below. First, it will check if no no (order No. - nat) nat is configured, then it will check the static nat translation and finally, it will check the translation PAT.

  In your configuration, there is a NAT (0) command indicating not to translate any IP of 192.168.0.0 to the remote ip address range, then the PIX won't do the translation and the package is passed to the destination.

  Remove the NAT (0) command and edit list access outside_cryptomap_10 with the ip dried up to the remote ip address for this access list is responsible for interesting traffic that needs to be encrypted.

  pls control and dream of return.

• I can weight of the IPSec Tunnels between ASAs

  Hello

  Remote site: link internet NYC 150 MB/s

  Local site: link internet Baltimore 400 MB/s

  Backup site: link internet Washington 200 Mb/s

  My main site and my backup site are connected via a gigabit Ethernet circuit between the respective base site switches.  Each site has its own internet connection and my OSPF allows to switch their traffic to the backup site if the main website is down.  We are opening an office in New York with one ASA unique connected to 150 Mbps FIOS internet circuit.  We want to set up an IPSec tunnel on the main site and the backup on the remote site, but want the remote site to prefer the tunnel in Baltimore, except if it is down.

  Interesting traffic would be the same for the two tunnels

  I know that ASA cannot be a GRE endpoint.  How can I force the New York traffic through the tunnel in Baltimore as long as it works?  An IPSec tunnel can be weighted?

  Thank you

  It is not in itself weighting, but you can create up to 10 backup over LAN to LAN VPN IPsec peers.

  For each tunnel, the security apparatus tried to negotiate with the first peer in the list. If this peer does not respond, the security apparatus made his way to the bottom of the list until a peer responds, or there is no peer more in the list.

  Reference.

• NAT in the IPSec tunnel between 2 routers x IOS (877)

  Hi all

  We have a customer with 2 x 877 routers connected to the internet. These routers are configured with an IPSec tunnel (which works fine). The question is the inbound static NAT translation problems with the tunnel - port 25 is mapped to the address inside the mail server. The existing configuration works very well for incoming mail, but prevents users from access to the direct mail server (using the private IP address) on port 25.

  Here is the Config NAT:

  nat INET_POOL netmask 255.255.255.252 IP pool

  IP nat inside source map route INET_NAT pool INET_POOL overload

  IP nat inside source static tcp 10.10.0.8 25 25 expandable

  IP nat inside source static tcp 10.10.0.8 80 80 extensible

  IP nat inside source static tcp 10.10.0.8 443 443 extensible

  IP nat inside source static tcp 10.10.0.7 1433 1433 extensible

  IP nat inside source static tcp 10.10.0.7 extensible 3389 3389

  allowed INET_NAT 1 route map

  corresponds to the IP 101

  access-list 101 deny ip 10.10.0.0 0.0.0.255 192.168.1.0 0.0.0.255

  access-list 101 permit ip 10.10.0.0 0.0.0.255 any

  On the SAA, I would setup a NAT exemption, but how do I get the same thing in the IOS?

  See you soon,.

  Luke

  Take a look at this link:

  http://www.Cisco.com/en/us/docs/iOS/12_2t/12_2t4/feature/guide/ftnatrt.html

  Concerning

  Farrukh

• force the IPSec tunnel to stay in place even if no traffic

  Hello

  We had exactly the same problem, as already described here;

  https://supportforums.Cisco.com/discussion/11666661/can-we-automatically...

  We actually run ASA 9.1 and the remote peer is a Fortigate. There is a new feature that has been introduced since the post on the forum above or fact creating an sla is the only way to follow IPsec tunnel.

  Concerning

  Nothing new was built in the SAA to take account of this requirement.

  I also had good results a script running on an internal host to send a "tcp" ping to a remote host, thus making sure traffic interesting was often enough to maintain the tunnel.