Friday, 23 October 2009

ASA Site-to-Site VPN Using Certificates from OpenSSL

To provide increased security over pre-shared keys you can authenticate VPN endpoints using certificates. Ideally this would be using a full PKI solution but a simpler method is available if you don't need revocation.

This guide is for the Cisco ASA. As with most things it's a doddle in the ASDM because you can take full advantage of the GUI and be prompted for each step, however I'll show the CLI commands.


I'll use OpenSSL as a CA, following on from the previous article. There is a Cisco guide for using Microsofts CA (search for "asa site-to-site vpn certificate microsoft" if the link dies), but OpenSSL works just as well. This guide pretty much mirrors the Microsoft one above except for the editing of certificates and OpenSSL commands used to sign the certs.

The ASA can run it's own CA, however it seems aimed squarely at supporting remote user VPNs, it doesn't support signing CSRs and the user certificates it outputs are passcode protected so not usable by another ASA in a site-to-site VPN. If Cisco include that functionality it'd be very useful, if they add SCEP features to allow enrollment of devices then it'll be very handy indeed.


The procedure is:
  1. Install the CA public key onto the ASA.
  2. Generate a Certificate Signing Request (CSR) on the ASA.
  3. Sign the CSR using the CA.
  4. Install the signed certificate onto the ASA.
  5. Configure the VPN.


1. Install the CA public key onto the ASA


If you've followed the directions from the previous article then the public key is called cacert.pem, open this file in a text editor (wordpad rather than notepad if using Windows). On the ASA configure a CA trust point for terminal enrollment (pasting the key into the terminal), the authenticate command will then prompt you to paste the key:
crypto ca trustpoint Test_CA
enrollment terminal

crypto ca authenticate Test_CA
* At this point you'll be prompted to paste the CA public key (from cacert.pem) *


That's it, the ASA will now trust keys signed by your CA.

2. Generate a Certificate Signing Request (CSR) on the ASA.


You could just use the general keys for this but I'd make a specific key for each VPN. You then need a trustpoint where you can fine tune the certificate options. The enroll command will output the key to console.
!Generate the RSA key pair
crypto key generate rsa label FW1-Key modulus 1024

!Configure a trustpoint for the signed certificate
crypto ca trustpoint FW1-Key-trustpoint
enrollment terminal
fqdn 10.0.0.1
subject-name CN=10.0.0.1
keypair FW1-Key
crl configure

!output the CSR to console
crypto ca enroll FW1-Key-trustpoint


Copy this key into a text editor. It'll need the format changed slightly, by default the ASA outputs keys like:
MIIBnicE+P+jvc8JQBSbElTZUH8e7ULzXt8KWZQH6M/0U70wp6lqH6caHeCfDgKW
QIDAQABoDMwMQYJKoZIhbvHyAplT4ToJAATL7GwRhXqcmIpxL8k3xjP3XMkzorMZ
mLZdV8X4byX7Z9MlIEU44iWF+nePEJc60RQRgqTiLPqZcyO8besQxh74FVLW5H40
FE1/FceBzgz4ImgXMcC+0DxrNNToS2wZQDoYo7uL5I6hc9KBiV8Ki0drPe7ZOu4G
Pwdq+Ah9axuXtDua8xPe6G1bRQ9dGCgE4NSeQPnSz380WNqv6TZNddZhERlTNDoX
lbDQG0v+k5zJpCktRYa+f18IvJJxY9pVlpD4WKvyRHdaQydtudPejObY9prIg3rU
Gn1aJyCv0mjgF/JH4wnbhXgNbxBk0J1alpIEupq6Xo=

---End - This line not part of the certificate request---

But you need to edit the key so it looks like this:
-----BEGIN CERTIFICATE REQUEST-----
MIIBnicE+P+jvc8JQBSbElTZUH8e7ULzXt8KWZQH6M/0U70wp6lqH6caHeCfDgKW
QIDAQABoDMwMQYJKoZIhbvHyAplT4ToJAATL7GwRhXqcmIpxL8k3xjP3XMkzorMZ
mLZdV8X4byX7Z9MlIEU44iWF+nePEJc60RQRgqTiLPqZcyO8besQxh74FVLW5H40
FE1/FceBzgz4ImgXMcC+0DxrNNToS2wZQDoYo7uL5I6hc9KBiV8Ki0drPe7ZOu4G
Pwdq+Ah9axuXtDua8xPe6G1bRQ9dGCgE4NSeQPnSz380WNqv6TZNddZhERlTNDoX
lbDQG0v+k5zJpCktRYa+f18IvJJxY9pVlpD4WKvyRHdaQydtudPejObY9prIg3rU
Gn1aJyCv0mjgF/JH4wnbhXgNbxBk0J1alpIEupq6Xo=
-----END CERTIFICATE REQUEST-----


3. Sign the CSR using the CA.


To sign the key, copy it onto the system you've installed OpenSSL as per the previous guide. Use the following command to sign the CSR, mine's saved in a text file as "FW1-req.txt":
openssl ca -in FW1-req.txt -out FW1-signed.txt



4. Install the signed certificate onto the ASA.


To copy this certificate back to the ASA, import it for the trustpoint created earlier:
crypto ca import FW1-Key-trustpoint certificate
* Paste in the edited key as per above *


5. Configure the VPN.



The authentication method is configured in the crypto map, this will appear as follows:

crypto map outside_map 1 match address outside_1_cryptomap
crypto map outside_map 1 set pfs group2
crypto map outside_map 1 set peer 10.0.0.2
crypto map outside_map 1 set transform-set ESP-AES-128-SHA
crypto map outside_map 1 set trustpoint FW1-Key-trustpoint
crypto map outside_map interface outside


The rest of the VPN configuration is the same as pre-shared keys. Congratulations, you've got a certificate based VPN! If it's not working then try with a PSK to verify that the VPN is configured correctly, if that doesn't work then welcome to the wonderful world of debugging VPNs.

2 comments:

  1. When creating a CA public key in openssl, you have to issue the CA a common name. After you install the CA in the ASA, and then create a CSR using this CA, it warns you that the common name is different than the IP address of the WAN port you use for the VPN, and it may cause issues. Can this warning be ignored??

    ReplyDelete
  2. I think you need the IP address to match, should be the bit in the fqdn and subject CN= line in step 2. Says 10.0.0.1 in this example

    ReplyDelete