Cisco ASA Site-to-Site IPsec VPN Digital Certificates

This topic is to discuss the following lesson:

Rene,
Well done with this post, please post more article with this kind.
Thank you

Rene,
Thanks for the presentation, great info as always…

What would be the advantages of changing my current ASA VPN Pre-Shared Keys to Certificates?

I am kind of new to certificates, so what would be the process for my customers who connect with PSK VPNs? Would they need to provide me certificate from a trusted CA for my ASA, and I would provide them a certificate as well?

If i have a couple hundred VPNs, can i provide the same certificate to every customer, or is that not a best practice?

Thanks again for all the great tutorials.

Hi Brian,

Security-wise, the public/private key of a certificate are typically longer than a pre-shared key.

If you want to use certificates then both devices will have to trust the same root CA. You could use your own CA like I did with this example and sign two certificates. One for your firewall and one for the customer. Since both devices trust the CA, they will trust each other’s certificate.

This is the main advantage of using certificates. For example, let’s say you have 100 customers that build a VPN to your main office’s firewall. If you want to add an extra firewall that the customers could connect to then you have to configure 100 pre-shared keys for all 100 customers so connect to the second firewall. You could use the same pre-shared key everywhere but that means once the key is compromised, you have to replace it everywhere…not a good idea!

When you use certificates, you only have to add a new certificate to the second firewall. Since the customers trust the CA, they will trust the certificate of the second firewall automatically.

You could use the same certificate, it’s even possible to use a “wildcard” certificate but that’s not a good idea. It’s the same as using the same pre-shared key everywhere. Once the key (or certificate) is compromised, you’ll have to replace it. Replacing a key/certificate on 2 devices is no problem but for 100 devices it might be a pain :slight_smile:

It might be helpful to see this in action. You can use my example to build a CA with OpenSSL and then use 2-3 firewalls to build a VPN that uses the certificates.

Hope this helps!

Rene

HI my friend.

I am not sure if CA must be always available to the peers even when they authenticate each other. At the moment CA is not available the vpn will failed? what happen if reload one of the peers? it was only available at the moment of enrolling and authenticating certificates, could you explain me please?

Can you provide more details on the significance of the hostname on the device and in the CSR/cert? Does the cert hostname need to always match the ASA assigned hostname? Do either of those hostnames need to match a forward or reverse DNS name registered for the device?

Hello Brian

The use of a hostname is essentially there to make your life easier. According to Cisco: “Assigning a hostname identifies the host for subsequent enrollment commands, additional configuration, and provides flexibility in case the IP address of the CA server changes.”

Yes. If you change ASA hostname it will invalidate your current certificates and you’ll need to regenerate them after the name change. If you have end devices or a site-to-site VPN that relies on certificates, those connections will fail until you regenerate and re-establish the connection.

No. The names are locally significant as far as the creation of certificates is concerned.

I hope this has been helpful!

Laz

How to modify this process for Certificates + IKEv2 ?

Is it as simple as replacing “ikev1” with “ikev2” in the steps?

It is pretty much the same yes, here’s an example for IKEv2 site-to-site. I used pre-shared keys in that example but changing it to use certificates shouldn’t be an issue:

This command is fix or use anythigs like (e,can,o)
Subject Name:
e=admin@networklessons.local
cn=CA.networklessons.local
o=Networklessons
l=Tilburg
st=North-Brabant
c=NL

Hello Ram

You are able to use many different attributes in this command. All of the available attributes can be found at this Cisco documentation PDF, on page 22:

I hope this has been helpful!

Laz

Thanks for help…

nice job team

1 Like

Good day to you all!

I have a simple question. Is there any reason why we not using IKEv2 in this scenario?

Hello András

The purpose of this particular lesson is to show how certificates function. Rene could have used IKEv2 as well, but that would not make a difference as far as the certificate mechanisms go. One of the two had to be chosen, and he chose IKEv1. Also, if you look at the list of lessons in this unit, the lessons before this one cover IKEv1 only, IKEv2 is covered in subsequent lessons, so if you’re following the lessons sequentially, at this point IKEv2 has not yet been covered.

Attempting to perform this lab using IKEv2 is a good opportunity to get some lab experience in there as well…

I hope this has been helpful!

Laz

1 Like