CCNP SIMOS: ASA AnyConnect IKEv2/IPSec VPN

See the previous blog post which documents the steps to setup AnyConnect SSL-VPN and ISE integration. This blog post expands on the AnyConnect SSL-VPN configuration, adding support for IKEv2/IPSec and using double authentication (Username/Password and Certificate).

ASA Configuration

Create a Crypto Keypair

crypto key generate rsa label VPN_KEY modulus 2048

Create a CA Trustpoint

crypto ca trustpoint LAB_PKI
fqdn asa-1.lab.net
subject-name CN=asa-1.lab.net,OU=LAB,ST=London,C=GB
keypair VPN_KEY
enrollment terminal
crl nocheck

Continue reading “CCNP SIMOS: ASA AnyConnect IKEv2/IPSec VPN”

Advertisements

Configuring Cisco FlexVPN with Certificate authentication

The intention of this blog post is to describe the steps to configure certificate authentication for FlexVPN on a Cisco IOS router. This post will not describe all the steps to enrol for a certificate or all the steps to configure FlexVPN, refer to the previous blog posts list below.

The configuration used is based on the FlexVPN sVTI blog post below and has successfully enrolled for certificates on all routers. VPN connectivity has been established using PSK, the configuration below will convert from PSK to certificate authentication.

References

Requesting a certificate on Cisco IOS router using SCEP or manual enrolment
Configuring FlexVPN VTI and Hub-and-Spoke on Cisco routers

Configure FlexVPN for Certificate authentication

All certificates in this FlexVPN lab are signed by the CA called lab-PKI-CA

Run the command show crypto pki certificates to identify the issuer, in this instance lab-PKI-CA


Continue reading “Configuring Cisco FlexVPN with Certificate authentication”

Cisco IOS Certificate Enrollment via SCEP or Manual enrollment

The intention of this blog post is to describe how to configure a Cisco IOS router to request a certificate from a Microsoft SCEP (NDES) server to use for VPN authentication. A Windows Server must be configured as a Certificate Authority and with “Network Device Enrollment Service”. In the lab a Windows 2008 R2 server is configured as a Domain Controller, CA and NDES server – in production these roles would ideally located on separate servers.

Windows Server Configuration

Open the Certificate Templates Console
Right click to Duplicate the IPSec (Offline request) template
Select Windows Server 2008 Enterprise, click OK
Change the display name to IOSTemplate
Click Extensions
Click Application Policies
Click Edit and
add Client Authentication



Continue reading “Cisco IOS Certificate Enrollment via SCEP or Manual enrollment”