View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

Home » Security » SEC0017 - ASA EZVPN with Pre-Shared Key & Certificate

SEC0017 - ASA EZVPN with Pre-Shared Key & Certificate

Rating: 
5
Average: 5 (1 vote)
Difficulty Level: 
0
Lab Document: 
<Please login to see the content>
Category: 
Security

The video walks you through configuration of Easy VPN (EZVPN) with Pre-shared key and certificate authentication on a Cisco headend ASA firewall. The hardware client router is running Client Mode and configured to automatically connect using a locally stored credential. This video is a counterpart of SEC0015 and SEC0016 with the headend router. Here we introduce the concept of 'group-policy' and 'tunnel-group' that are unique to the ASA, while most crypto command syntax is very similar to those on a router.

Topic includes
  • EZVPN Client Mode with Pre-Shared Key and XAuth
  • EZVPN Hardware Client
  • Automatic Connect, Local Credential, Splitted-Tunnel
  • Router Certificate Import
  • 'tunnel-group' and 'policy-group' configuration
Notes:
  • ExtendedUsage field on a certificate issued by Microsoft CA 2008 may not be recognized by an ASA. A command 'ignore-ipsec-keyusage' might be needed under 'crypto ca'
  • Similar to a router, by default, EZVPN client must have a certificate with OU=<EZVPN Group Name>
Tag: 
ezvpn
ipsec
pre-shared key
certificate
asa
xauth

About Author

Metha Chiewanichakorn, CCIE#23585 (Ent. Infra, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at labminutes.com, Metha enjoys learning and challenges himself with new technologies.
http://www.linkedin.com/in/methachiewanichakorn

2 comments

Submitted by muhammad.khan7 on Sun, 02/07/2016 - 13:48

Hi

I am trying to follow this video stuck on user auth via certificate. Could you please guide me on how to create CER with OU as shown in your video? I am using Windows Server 2012 CA standalone. I had tried using OpenSSL > KEY > CSR > CER steps, however user doesn't include OU or department info from AD.

My user cert include or misses the following info in the top section.
Common name: Users + user1
Department: it's blank
Company: it's blank
State: it's blank
Country: it's blank

Please assist.
Thank you.
Muhammad Khan

Submitted by admin on Mon, 02/08/2016 - 10:10

To get user info on the cert, he CA needs to run Enterprise and not standalone mode. You then can specify cert attributes under certificate template. We have several videos on Microsoft CA under Security > Certificate section