Browsing All Posts filed under »VPN«

Monitor IKE state on your VPN Gateways

November 13, 2018


Still we cannot find any freely available usefull IKE State Monitoring for our VPN Tunnels in 2018…thats bad. That’s why I have grabbed my laptop for a couple of sleepless nights and created from TIG Stack and Maxmind Geolite Free and with Python an IKE State Monitoring Tool. See the building blocks for that service […]

Query IPSEC VPNs with snmpwalk on Cisco ASA

May 5, 2014


The followings links can be used for the list of Cisco ASA SNMP MIBs. Cisco ASA SNMP MIBs: OIDs Information page: IKE SNMP Queries example 1. Check my IP in the firewall that terminates vpns. OID OID NAME cikeTunRemoteValue OID Description The value of the local peer identity. If the local […]

Migrate Cisco ASA configuration, certificates and private keys

November 4, 2012


The fact I wrote this post is to clear what happens with the RSA keys if I move the whole configuration and certificates and their private keys to another firewall with the same IP Address. IF the IP has changed the migration ofthe certificate has not much sense if the certificate is based on IP. […]

Certficate renewal – how was it after years?

April 18, 2012


Actually you cannot renew an existing certificate, but you can generate a new one with the same subject and same mandatory fields. For that you have to generate a certificate request again within a new trustpoint and not with the old one. The issuer of the previous certificate should sign the new certificate request and […]

Export and import the trustpoint

March 16, 2012


To test something in a Lab with another firewall or migrate a whole VPN with certificate to another ASA firewall we have a possibility to migrate the certificate of the firewall to another one. To do it so easily on a Checkpoint firewall  will be always just a dream… The exported data holds the followings: […]

Certificate mapping to anyconnect tunnel-group II. – Special mapping

August 22, 2011


The users connects with Anyconnect client with IPSec to the ASA firewall. Lets say we have 2 Certificate Authorities (with the issuername IssuerA and IssuerB) and the users are mapped to tunnel-groups according to the issuer. A user called Terry Wood needs SSL as he works in a Hotel and the local proxy enables only […]

Certificate authentication and LDAP authorization with Anyconnect

July 15, 2011


This is a log analysis of a successful login with cisco Anyconnect. If the configuration is ready it is always useful to make a successful test with the system and raise the logging to the highest level in the meantime and save it before the first problem comes. It will come… From this log analysis […]

Certificate mapping to anyconnect tunnel-group I.

July 15, 2011


I try to configure the ASA to find the tunnel for anyconnect users according the certificate details. The command look like following: firewall(config)# crypto ca certificate map <certificate-map-name> <sequencenumber> Where the sequencenumber is the Sequence to insert into certificate map entry firewall(config)# webvpn firewall(config-webvpn)# certificate-group-map <certificate-map-name> <certificate-map-index> <tunnel-group name> Where the certificate-map-index is the index […]

Configuring remote access vpn with IKEv1, IKEv2 and SSL in the same time

March 9, 2011


With the following configuration and with sufficient license we should be able to connect to our Cisco ASA firewall with Cisco Anyconnect and with the new Anyconnect Secure Mobility Client (the first Cisco IKEv2 client) and with the old Cisco VPN client with IKEv1, that is natively supported on some Apple devices, like an IPad. […]

RA VPN keepalives and timouts

December 13, 2010


RA VPN timeouts 1. Session timeouts 2. IPSec SA lifetimes 3. ISAKMP lifetimes and Nat-T keepalive interval 4. Timeout in the group policy 5. DPD timeouts. 1. Session timeouts As the VPN may go through many Firewall till it reaches the VPN gateway it can happen that the session is broken before the timouts here […]