RemoteAccess VPN to ASA 2 7.2 using self-signed certificate

Similar Questions

• Can we run AnyConnect using self signed certificates?

  I have a lab that I want to build a tunnel to remote access for mobile-to-ASA computer, using AnyConnect.

  I understand AnyConnect requires IKEV2 and certificates.

  It allows no password communicated in advance, as the VPN-client.

  Is there a way I can build the lab without a certificate?

  In practice you can do pretty much everything with SSL VPN (AnyConnect client) you could with IPSec VPN (IPsec legacy or 3rd party client).

  You get the advantage of support modern OS (i.e., Windows 8, etc.) and the ability to add many other features (with AnyConnect Premium licenses) and integrate other modules such as NAM and Cloud Web security etc...

• ASA SHA2 support with self-signed certificates

  Is it possible to use the signature SHA2 algorithm generating a certificate self-signed on an ASA? I can't find any documentation on orders that have control of things like the signature algorithm when you use self-signed certificates. I have seen documentation SHA2 is supported from 8.4.2 for the signature algorithm, but it always refers to the import of a certificate from an external certification authority.

  Hi William,.

  You can only generate self-signed certificate on the SAA SHA1. The solution is to import a certificate from a 3rd party with signature SHA2 algorithm.

  Here is the value for the same application:-

  ASA support for SHA - 2 for crypto IPsec and operations of the public key infrastructure
  CSCuj67576
  https://Tools.Cisco.com/bugsearch/bug/CSCuj67576/?reffering_site=dumpcr
  
  Kind regards
  Dinesh Moudgil

  PS Please rate helpful messages.

• I have a Proxy Server that uses a self-signed certificate, and I can't accept this certificate from Firefox

  I have Firefox installed 37.0.1 on OpenSuse 13.2. I have a proxy server that uses a self-signed certificate, and I tried to add my certificate to the list of authorities and to check all the option displayed to be wz trust no chance.

  I tried to restart firefox, but it did not help.

  I did the same steps in chrome and it works fine.

  appreciate any help.

  After removing my .mozilla in my home directory. Add the certificate to the list of authorities in fact work.

• Configure SSL for OUD 4444 port Admin port-> replace the self signed certificates used

  Hi Experts,

  When installing OUD choose Certification self-signed for ports 1636 and 4444.

  Later I change the certificates used by the port of 1636 to a new key file containing the CA certificates. (Track the steps of: https://docs.oracle.com/cd/E52734_01/oud/OUDAG/security_clients_severs.htm#OUDAG00050)

  But same procedure does not have to replace the self signed certificates used by ports 4444!  Everyone is configured SSL (with Cert CA) on the Administration port?

  I couldn't even start the servers, you see an error:

  """

  category = gravity CORE = NOTICE msgID = 458891 msg = the directory server sent a notification to alert generated by the class org.opends.server.core.DirectoryServer (org.opends.server.DirectoryServerShutdown alert type, alert ID 458893): the directory server started the shutdown process.  Stop was launched by an instance of the org.opends.server.core.DirectoryServer class and the reason for the closure was an error occurred trying to start the directory server: NullPointerException (File.java:277 AdministrationConnector.java:843 AdministrationConnector.java:675 AdministrationConnector.java:182 ConnectionHandlerConfigManager.java:356 DirectoryServer.java:2932 DirectoryServer.java:1584 DirectoryServer.java:10108)

  «[27/sep / 2015:06:22:53-0400] category = gravity = NOTICE msgID = 458955 msg = the directory server CORE is now stopped "«»

  Post edited by: 1976902

  Sorry, I cannot help here - here are a few possibilities.

  Change connector Administration certificate

  https://docs.Oracle.com/CD/E52668_01/E54669/HTML/ol7-genssc-auth.html

  The failure of the handshake could occur for various reasons:

  • Incompatible encryption suites in use by the client and the server. This would require the customer to use (or allow) a suite of encryption supported by the server.
  • Incompatible versions of SSL in use (the server can only accept TLS v1, while the client is capable of using SSL v3 only).
  • Incomplete trust for the certificate of the server path
  • The certificate is issued to another area.
  • incomplete certificate trust path between the certificate for the server, and a certification authority root.
  • In most cases, this is because the certificate is not present in the trust store

• Cannot use jar with icon files gif and self signed certificate files (Exception in thread "AWT-EventQueue-3" java.lang.NoClassDefFoundError: oracle/ewt/laf/basic/SelColorChange)

  Hi all.

  I use Forms 11 g 11.1.2.1 and updating JRE 7 45.

  I have create a jar file containing gif icons files using this procedure:

  (1) create the jar file:

  set path = % path %; C:\Oracle\Middleware\Oracle_FRHome1\jdk\bin (my ORACLE_HOME/jdk)

  jar - cvf webfigolos.jar *.gif

  (2) self sign the file:

  c:\Oracle\Middleware\asinst_1\bin > sign_webutil.bat c:\Oracle\Middleware\Oracle_FRHome1\forms\java\webfigoicons.jar

  Jars is signed but with a warning:

  Generate a signature key certificate aaosa2015 = auto...

  keytool error: java.lang.Exception: key pair not generated, al alias < aaosa2015 >

  loan is

  .

  There are errors or warnings while generating a self signed certificate. Pleas

  e revisiting.

  .

  Backup as c: C:\Oracle\Middleware\Oracle_FRHome1\forms\java\webfigoicons.jar

  \Oracle\Middleware\Oracle_FRHome1\forms\java\webfigoicons.jar.old...

  1 file (s) copied.

  Signature using ke c:\Oracle\Middleware\Oracle_FRHome1\forms\java\webfigoicons.jar

  y = aaosa2015...

  .. own made.

  But I can use this file. The application crashes and get this error from the java console:

  network: connection http://myluism-pc:7001/forms/lservlet; jsessionid = p98GTL5Fh6XnQcykySBhLWq2823HwHlPGZ16TYHVv93006N4mmdl!-947562687 with proxy = LIVE

  network: connection http://myluism-PC:7001 / with proxy = LIVE

  Exception in thread "AWT-EventQueue-3" java.lang.NoClassDefFoundError: oracle/ewt/laf/basic/SelColorChange

  at oracle.ewt.laf.oracle.OracleTreeUI.createItemPainter (unknown Source)

  at oracle.ewt.laf.basic.BasicTreeUI._getItemPainter (unknown Source)

  at oracle.ewt.laf.basic.BasicTreeUI.getItemPainter (unknown Source)

  at oracle.ewt.dTree.DTreeBaseItem.getSize (unknown Source)

  at oracle.ewt.dTree.DTree.paintCanvasInterior (unknown Source)

  at oracle.ewt.EwtComponent.paintInterior (unknown Source)

  at oracle.ewt.lwAWT.SharedPainter._paintInterior (unknown Source)

  at oracle.ewt.lwAWT.SharedPainter.paintExtents (unknown Source)

  at oracle.ewt.lwAWT.LWComponent._paintComponent (unknown Source)

  at oracle.ewt.lwAWT.LWComponent.paint (unknown Source)

  at oracle.ewt.EwtComponent.paint (unknown Source)

  at oracle.ewt.lwAWT.SharedPainter.paintExtents (unknown Source)

  at oracle.ewt.lwAWT.LWComponent._paintComponent (unknown Source)

  This used to be a very simple procedure, but it has stopped working...!

  Don't know if the jar file is well born, or if it is corrupt.

  I can't start my application.

  Help, please!

  Best regards, Luis.

  Try again with the JRE 7 10 update, I get a problem with the update of JRE 7 45, but when I tried the update of JRE 7 10, it works fine.

  For the objective test, disable the check

  Java Panel-> advance-> mixed Code-> disable verification (unchecked)

• ASA - a Site with self-signed certificates

  Team,

  ASA version 9.1 (3), ASDM 7.1 (4) on 5505.

  I have a pair of Cisco ASA 5505 that I am trying to establish a tunnel. I do everything with PSK. IKEv2 with AES256 IPSec. No problem...

  However, I learned that I can auto-signer certificates and use them to authenticate each firewall to another. I tried for hours... Generating of certs in all combinations and options, and the export of the P12 in the other firewall, by adding in - no problem

  I have self signed CERTS, so there is no CA.

  Then I'll be back in the connection profile and remove the PSK - flip on to RSA - SIG in the IKE Policy.

  Does anyone have this working with the ASA version, I'm running and care apart from your snippets of configuration especially how you created the pair of keys, self-signed one, exported and adding in the adjacent firewall?

  I don't want to use PSK for authentication.

  Help!

  I never used this way without a CA so I can't guarantee that it will work, but one thing is often forgotten with digital certificates: you assigned the ID-Cert cert in the crypto-plan?

  --
  Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
  http://www.Kiva.org/invitedBy/karsteni

• Creation of my own CA, self-signed certificates and the use of these

  I'm stupid. Three years ago, I created my own CA and my own wildcard certificate for my OS X Server (always 10.8.5 with Server 2.2.5). I install my public Root CA on clients who make use of my server. At these must not often updated and the work is complex, so I created a CA Vault take care of a few scripts and configuration of openssl. What I forgot is document how to get these used by Server.app. That's why I'm stupid, because I struggle to reproduce what I did and discovered three years ago.

  I use two scripts. (MYNAME, mydomain and tld are generic strings, of course in reality I use my own name and mydomain.tld)

  The first is for the creation of a root certification authority:

  #!/bin/bash
  
  # Only edit these:
  mycaname="MYNAME Certificate Authority"
  myrootname=mydomaincaroot
  
  # Run in current dir:
  mydir=`pwd`
  
  mkdir RootCert >/dev/null 2>&1
  
  if [ ! -e "$mydir"/RootCert/"$myrootname".key -o \
       -e "$mydir"/RootCert/"$myrootname".crt ]
  then
      openssl req -config "$mydir"/openssl.cnf \
    -new -x509 \
    -keyout "$mydir"/RootCert/"$myrootname".key \
    -out "$mydir"/RootCert/"$myrootname".crt \
    -days 3650
      openssl pkcs12 -export -clcerts \
    -inkey "$mydir"/RootCert/"$myrootname".key \
    -in "$mydir"/RootCert/"$myrootname".crt \
    -out "$mydir"/RootCert/"$myrootname".p12 \
    -name "$mycaname"
  
      echo "Now import ""$mydir""/RootCert/""$myrootname"".p12 in KeyChain"
      echo "For this, unlock the System KeyChain first, then import"
      echo "NOTE: this imports your private key in the System Keychain"
      echo "So it can be used for signing activities."
      echo "This is less safe then keeping your private key on media that"
      echo "cannot be accessed from the system, like a safely stored USB stick"
  else
      echo "Your root CA crt and key already exist! I will not overwrite this"
      echo "as this could overwrite a still used private key and lose you access"
      echo "to signed certificates, e.g. for revoking them"
  fi
  

  I think I know what to do (but Advisor is always welcome). I have to add the certificate of generic identity for the Keychain system, after which I can use in.app.

  Now I encounter another problem: when I enter the certificate in the system Keychain, it ends up in/etc/certificates without a. fichier.pem. See: OS X 10.8.5 Server 2.2.5/Keychain Access certificates issue for more details.

  Help is always welcome.

• VPN IPSEC ASA with counterpart with dynamic IP and certificates

  Hello!

  Someone please give me config the work of the ASA for ASA Site to Site IPSEC VPN with counterpart with dynamic IP and authentication certificates.

  He works with PSK authentication. But the connection landed at DefaultRAGroup instead of DefaultL2LGroup with certificate

  authentication.

  Should what special config I ask a DefaultRAGroup to activate the connection?

  Thank you!

  The ASA uses parts of the client cert DN to perform a tunnel-group  lookup to place the user in a group.  When "peer-id-validate req" is  defined the ASA also tries to compare the IKE ID (cert DN) with the  actual cert DN (also received in IKE negotiation), if the comparison  fails the connection fails. know you could set "peer-id-validate cert"  for the time being and the ASA will try to compare the values but allow  the connection if it cannot. 

  In general I would suggest using option "cert."

  With nocheck, we are simply not strict on IKE ID matchin the certificate, which is normally not a problem of security :-)

• ASA uses that certificates self-signed after upgrade to 9.4.1

  I came across a strange issue after upgrade to 9.4.1... (from 9.3)

  However I access the ASA (browser, Anyconnect, etc.), it offers only a self-signed certificate even if an appropriate SSL certificate installed.

  I checked:

  SSL-trust VPN_Portal_TP point
  SSL-trust outside VPN_Portal_TP point
  SSL certificate authentication CAF-timeout 5
  interface outside port 443 SSL certificate authentication

  is configured.

  • CA is installed, too.
  • Reinstalled all certififcates.
  • Reassign the Trustpoints

  Any ideas would be greatly appreciated... Thank you!

  I did have time to test this out on my laboratory unit yet, but there's a thread related here.

  I'm not positive on the standard resolution immediately - it will bring close watch.

  Perhaps the first person to prosecute TAC may share the resolution.

• ASA5505 using false identity certificate

  I have recently updated our firmware 8.4 ASA. (7) 3 to 9.0. (4) 24 and noticed later my oriented web interface (for SSL vpn remote access) suddenly used a self-signed certificate. When I look at identity by using ASDM certificates, the one listed certificate is the one I installed GoDaddy (and one that he should use - see screenshot). Anyone know what I can do to get back to my GoDaddy cert?

  You have probably lost the award of the certificate of the interface:

  ssl trust-point ASDM_TrustPoint3 outside

• Certificate self-signed for remote VPN CLIENT access

  Hi people,

  I am trying to achieve two-factor authentication, first with RADIUS & 2nd with self-signed certificate. If I generated of self-signed certificate & trying to import this certificate but error 39 that occur. Only obstacle that authenticate with certificate. I saw some documents for separate setting certifcate servers (CA) & then to import in the clients but I m curious about a certificate automatically generated can be used to authenticate the remote access client.

  ASA additional server failover mode is Local CA is not supported. Is there a way to support local CA.

  Thank you

  Are you talking about using self-signed client certificates? I guess that it will not work. At least it is not scalable. You must use an internal CA for this task. As the local certification authority cannot be used with failover, you can take a Windows Server 2 k 3 or 2 k 8. Another option is to use a router IOS as CA-server. But what take something else as a second factor? I'm a big fan of the use of smartphones with the www.duosecurity.com service.

  --
  Don't stop once you have upgraded your network! Improve the world by lending money to low-income workers:
  http://www.Kiva.org/invitedBy/karsteni

• Use the certificate self-signed on TS 2008R2

  Hello reader,.

  We use Firefox on a Terminal server with about 20 servers server farm environment.
  We use a lot of intranet sites for which we have the certificate self-signed by our domain controller.

  In Firefox users get prompt security sec_error_unknown_issuer. As much as I red that Firefox does not check for local free self-signed certificates.
  Is there a way we could set up for all users, they do not see the above error-> specific <-websites (intranet)?

  We do not want the users to add the Security (certificate) as exception 20 times for EACH intranet website on 20 servers dispute.
  It is something that I can edit in mozilla.cfg on each server or is there another solution?

  Thanks in advance,
  Kind regards
  Martijn

  I solved the problem with manual below:

  http://community.Spiceworks.com/how_to/15158-Firefox-trust-a-local-certificate-authority-for-all-users-and-computers

• Unable to connect to SMTP using TLS with a certificate self-signed on OSX 10.10.1 (T31.3 &amp; 24.6)

  I can't connect to my server SMTP with TLS on port (send 465 or 587 / 995 receive) using Thunderbird 31.3 or my OS X 10.10.1 24.6 (Didier) MacBook Pro.

  However, I am able to send and receive mail from the same account on my Windows 7 machine using Outlook 2007, using the same settings I configured in Thunderbird. I added the certificate etc.

  http://img.Photobucket.com/albums/v631/Napoleon_BlownApart/ScreenShot2014-12-16at121323pm.PNG (Taken when using 24.6)

  I am the admin of the server and the password and other settings on the side Server are correct! (I'll take a look at the evolution at the same time. I am already back to an earlier version of Firefox because of sloppy coding and broken features).

  Any ideas?

  If the server name is a secret, how you expect to receive mail. Please, we have pretty bad without guessing. Seriously what you are done using a self signed certificate, they are free by https://www.startssl.com/

  My guess is it of OSX who dislikes the self-signed certificate, how Thunderbird to deal with Windows. As you have a copy install Thunderbird and see if it is a question of OSX.

• Question the use of the certificate for ODSEE 11.1.1.7.0

  Hello

  I have a few questions about certificates.

  (1) do I need to renew the original self-signed certificates created when the DS was created, if I'm not currently using the secure port?

  (2) do you have any suggestions as to a good resource to explain the use and implementation of certificates in ODSEE?

  Thank you

  Bill

  Hello

  Use of ldaps (LDAP over SSL) is optional, so no need to renew the certificates if you do not use encryption to access or LDAPS attribute

  Certificates are used with SSL for secure LDAP channel. SSL implementation used by Department based on NSS https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS

  Sylvain

  Please mark this answer as correct or helpful, when it is appropriate to make it easier for others to find