Certificates and vpngroup

Discussion in 'Cisco' started by Martin Nowles, Nov 19, 2003.

  1. Hello,

    I am working on a VPN connection between a Cisco PIX 501 and the Cisco
    VPN Client 4.0.3a using certificates. While writing the configuration, i
    am trying to figure out how the vpngroup and the certificates are
    related. I found a paragraph which is saying, that the vpngroup do have
    to match with the ou in the certificate. The problem is, there is a
    blank in the certificate ou, like "ou=comany inc" and it is not allowed
    to create a vpngroup with a blank. Can someone give me a hint?

    thanks
    --
    Martin
     
    Martin Nowles, Nov 19, 2003
    #1
    1. Advertising

  2. * Martin Nowles wrote:
    > I am working on a VPN connection between a Cisco PIX 501 and the Cisco
    > VPN Client 4.0.3a using certificates. While writing the configuration, i
    > am trying to figure out how the vpngroup and the certificates are
    > related. I found a paragraph which is saying, that the vpngroup do have
    > to match with the ou in the certificate. The problem is, there is a
    > blank in the certificate ou, like "ou=comany inc" and it is not allowed
    > to create a vpngroup with a blank. Can someone give me a hint?


    You have to change the certificate to include a single word OU identifier.
     
    Lutz Donnerhacke, Nov 19, 2003
    #2
    1. Advertising

  3. Lutz Donnerhacke wrote:
    > * Martin Nowles wrote:
    >> I am working on a VPN connection between a Cisco PIX 501 and the
    >> Cisco VPN Client 4.0.3a using certificates. While writing the
    >> configuration, i am trying to figure out how the vpngroup and the
    >> certificates are related. I found a paragraph which is saying, that
    >> the vpngroup do have to match with the ou in the certificate. The
    >> problem is, there is a blank in the certificate ou, like "ou=comany
    >> inc" and it is not allowed to create a vpngroup with a blank. Can
    >> someone give me a hint?

    >
    > You have to change the certificate to include a single word OU
    > identifier.


    Oh, this is bitter :)
    This certificate is already widespread.

    How is it possible to work with more than one vpngroup? The PIX can only
    request its certificate from the root CA. So, do i have to install
    additional root CAs? Is there any other way to map the certificate(s) to
    a vpngroup?

    thanks

    --
    Martin
     
    Martin Nowles, Nov 19, 2003
    #3
  4. * Martin Nowles wrote:
    > Lutz Donnerhacke wrote:
    >> You have to change the certificate to include a single word OU
    >> identifier.

    >
    > Oh, this is bitter :)
    > This certificate is already widespread.


    You distribute client machine certificates? *shudder*

    > How is it possible to work with more than one vpngroup?


    (config)# vpngroup second_name ...

    > The PIX can only request its certificate from the root CA. So, do i have
    > to install additional root CAs?


    No. The PIX Certificate is not related to the client certificates.

    > Is there any other way to map the certificate(s) to a vpngroup?


    No.
     
    Lutz Donnerhacke, Nov 19, 2003
    #4
  5. >>> You have to change the certificate to include a single word OU
    >>> identifier.

    >>
    >> Oh, this is bitter :)
    >> This certificate is already widespread.

    >
    > You distribute client machine certificates? *shudder*


    Oops, i meant the certificates which are signed by the root CA are widly
    deployed. The root CA certificate itself is safely locked away.

    >> The PIX can only request its certificate from the root CA. So, do i
    >> have to install additional root CAs?

    >
    > No. The PIX Certificate is not related to the client certificates.


    We are using Smartcards which can only store one certificate and so the
    certificates which are used to establish the VPN tunnel should also be
    used in the "company PKI context" for signing or encypting files via
    EFS.

    Thanks for your answers.

    --
    Martin
     
    Martin Nowles, Nov 21, 2003
    #5
  6. * Martin Nowles wrote:
    >>>> You have to change the certificate to include a single word OU
    >>>> identifier.
    >>>
    >>> Oh, this is bitter :)
    >>> This certificate is already widespread.

    >>
    >> You distribute client machine certificates? *shudder*

    >
    > Oops, i meant the certificates which are signed by the root CA are widly
    > deployed. The root CA certificate itself is safely locked away.


    So there is no problem to issue new one for the machines.

    > We are using Smartcards which can only store one certificate and so the
    > certificates which are used to establish the VPN tunnel should also be
    > used in the "company PKI context" for signing or encypting files via EFS.


    You have a problem. Solution: Do not use PIX für VPN.
     
    Lutz Donnerhacke, Nov 21, 2003
    #6
  7. * Martin Nowles wrote:
    >>>> You have to change the certificate to include a single word OU
    >>>> identifier.
    >>>
    >>> Oh, this is bitter :)
    >>> This certificate is already widespread.

    >>
    >> You distribute client machine certificates? *shudder*

    >
    > Oops, i meant the certificates which are signed by the root CA are widly
    > deployed. The root CA certificate itself is safely locked away.


    So there is no problem to issue new one for the machines.

    > We are using Smartcards which can only store one certificate and so the
    > certificates which are used to establish the VPN tunnel should also be
    > used in the "company PKI context" for signing or encypting files via EFS.


    You have a problem. Solution: Do not use PIX for VPN.
     
    Lutz Donnerhacke, Nov 21, 2003
    #7
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Remco Bressers

    vpngroup radius IP address

    Remco Bressers, Apr 26, 2004, in forum: Cisco
    Replies:
    0
    Views:
    514
    Remco Bressers
    Apr 26, 2004
  2. Edwin Dicker

    pix vpngroup no access to dmz

    Edwin Dicker, Feb 15, 2005, in forum: Cisco
    Replies:
    0
    Views:
    464
    Edwin Dicker
    Feb 15, 2005
  3. Replies:
    0
    Views:
    507
  4. AM
    Replies:
    3
    Views:
    678
    2948g-l3 , BVI
    Feb 10, 2006
  5. Lord Amoeba

    Self-issued certificates and commercial certificates.

    Lord Amoeba, Apr 30, 2004, in forum: Computer Security
    Replies:
    2
    Views:
    1,059
    David W.E. Roberts
    May 5, 2004
Loading...

Share This Page