Professional Documents
Culture Documents
How To Configure Nokia Mobile VPN For Cisco ASA Gateway Certificates
How To Configure Nokia Mobile VPN For Cisco ASA Gateway Certificates
How to configure Nokia Mobile VPN for Cisco ASA with certificate based authentication
Table of Contents
Interoperability note ....................................................................................................................................................................... 3 Introduction...................................................................................................................................................................................... 3 Importing CA certificate................................................................................................................................................................... 4 Creating Identity certificates for VPN gateway ............................................................................................................................. 7 Internal address pool configuration ............................................................................................................................................ 12 Creating VPN policies ..................................................................................................................................................................... 15 Troubleshooting certificates......................................................................................................................................................... 16 Configuring certificate authentication ........................................................................................................................................ 20 Policy creation with Policy Tool using exported CA certificate ................................................................................................. 23 Adding internal DNS server address to policy ............................................................................................................................. 24
This configuration does not enable internal DNS server address request from ASA to Nokia Mobile VPN. To overcome DNS resolution problems, DNS server address must be added to Nokia Mobile VPN policy. See chapter Adding internal DNS server address to policy.
This document explains the configuration of Cisco ASA for use with Nokia Mobile VPN Client. The document includes instructions for certificate-based authentication. It is assumed that the Cisco ASA basic configuration is in place. This covers any network-related configurations, such as inside and outside interface assignments, IP address configuration, hostname, domain, default routes and so on. This document uses Cisco ASA 5505 with software version 8.0(3). The configuration interface is Cisco ASDM (Adaptive Security Device Manager) version 6.1(1).
Importing CA certificate
First a new CA certificate is imported to the VPN gateway.
In the menu tree on the left, navigate to Certificate Management -> CA Certificates. Click Add to import the CA certificate.
Click Browse to select the certificate file. You can also use other options in the dialog box for certificate import.
. Select the Add a new identity certificate option. Click New to generate a keypair.
You are prompted to choose a location and the file name where to save the Certificate Signing Request (CSR). You need to sign this with the Certificate Authority we imported in previous steps.
The status of the identity certificate is now Pending. When you have the signed certificate, select the pending request and click Install.
In this example, we select Install from a file. You can select the other option and paste the certificate contents directly, if you prefer.
Browse to the location and the file where the signed certificate is stored. Click Install ID certificate file.
At this point, the installation should be complete and should look something like this.
Navigate to Network (Client) Access -> Address Assignment -> Address Pools. Click Add to create a new address pool to be used for internal address assignment.
Enter a name for the pool, starting and ending IP addresses, and the subnet mask. This address pool must not conflict with any other network object. Be careful to not define the addresses from the same range as any of the gateway interfaces. Click OK to close.
Navigate to Network (Client) Access -> Group policies. Highlight the DfltGrpPolicy (System Default) and click Edit.
Select the previously defined IA_pool and click Assign. Click OK.
Navigate to Servers. Enter the DNS server address in the DNS Servers field. This will be handed out to client. It allows internal DNS resolutions. Click OK to close the DfltGrpPolicy properties dialog.
Navigate to Network (Client) Access -> IPsec Connection Profiles. Check outside interface to Allow Access for IPsec access. Highlight DefaultRAGroup and click Edit.
In the IKE Peer Authentication section, enter the Pre-shared Key. This string can be anything, Cisco configuration seems to require that. In the Identity Certificate, select the device certificate requested in earlier steps. In Client Address Assignment section, select the IA_pool created earlier for the Client Address Pools field. Click OK.
Troubleshooting certificates
There is an issue with ASDM configuration UI that causes the CA certificate and the device identity certificate to be placed in different TrustPoints. By default, this prevents them from being seen and/or verified against each other. The issue can be circumvented by editing the configuration file manually. Note that the actual hex data will be different for you in real use. The demo certificates used in this document represent their own unique hex data.
The certificates in the configuration file looks like this. The upper block of hex data is the CA certificate. The lower block is the signed device identity certificate. There are two ASDM_TrustPoints configured. TrustPoint0 is the CA and TrustPoint1 is the ID-cert. We need to edit this so that both of the hex blocks are in the same TrustPoint, in this case TrustPoint0. There are various ways to accomplish this. USING A TERMINAL CONNECTION When logged in and in the administrative-enabled mode, view the running configuration by entering: # show running-config. Scroll the configuration file until you see the aforementioned blocks of hex data. Copy the following data ASDM_TrustPoint1 (certificate 013d) hex content to the clipboard. Note that the certificate id (013d) and the actual TrustPoint number may vary in your config.
# crypto ca certificate chain ASDM_TrustPoint0 Then paste the edited hex content to the terminal. After this, enter the command: # quit # exit # exit # write When this process is done, the certificates should be under the same TrustPoint and when viewing the running configuration, it should look like this:
An alternative way to do the certificate fix is to copy the running configuration from the gateway and open it into a text editor. Then simply copy this block:
Paste it in the ASDM_TrustPoint0 section so that the end result will be identical as in the previous end result sample.
Navigate to Network (Client) Access -> Advanced -> IPsec -> IKE Policies. Click Add to create a new IKE policy for RSA_SIG.
Navigate to Network (Client) Access -> Advanced -> IPsec -> Certificate to Connection Profile Maps -> Policy. Uncheck other options except Use the IKE identity to determine the group and Default to group. This allows the certificate client to be mapped to the DefaultRAGroup profile. You can set more advanced mappings via other options, which are beyond the scope of this document.
Navigate to Network (Client) Access -> IPsec Connection Profiles. Highlight DefaultRAGroup and click Edit. Open Advanced and select IPsec. In the IKE Peer ID Validation, select Do not check.
Add the correct VPN gateway address and get the path to your CA certificate. Note that this is not needed if the CA certificate is part of the PKCS#12 packet. Make sure the Format in Certificate Authority selection is set to BIN. Do the same to the PKCS#12 packet. If silent authentication is desired (the PIN code for the certificate is not requested), this option needs to be activated from the Advanced View. Go to Advanced View, open the IKE tree, and select Cert store to be DEVICE instead of USER. Note that only select S60 3rd Edition, Feature Pack 1 devices support Device store. See the release notes for more information.
Click IKE in the left window and then DNS server IP address field is available on the right. Put your internal DNS server address there.
To export the VPN policy, press the Generate VPN Policy button, and store Cisco_ASA rsasig.vpn to your PC. Consult the Nokia Mobile VPN Client Users Guide, Chapter 6.1, for details on how to install a given policy file to your device.
Legal Notice
Reproduction, transfer, distribution or storage of part or all of the contents in this document in any form without the prior written permission of Nokia is prohibited. Nokia and Nokia Connecting People are trademarks or registered trademarks of Nokia Corporation. Other product and company names mentioned herein may be trademarks or tradenames of their respective owners. Nokia operates a policy of continuous development. Nokia reserves the right to make changes and improvements to any of the products described in this document without prior notice. Under no circumstances shall Nokia be responsible for any loss of data or income or any special, incidental, consequential or indirect damages howsoever caused. The contents of this document are provided as is. Except as required by applicable law, no warranties of any kind, either express or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose, are made in relation to the accuracy, reliability or contents of this document. Nokia reserves the right to revise this document or withdraw it at any time without prior notice.