You are on page 1of 26

Nokia Mobile VPN

How to configure Nokia Mobile VPN for Cisco ASA with certificate based authentication

Table of Contents

Interoperability note ....................................................................................................................................................................... 3 Introduction...................................................................................................................................................................................... 3 Importing CA certificate................................................................................................................................................................... 4 Creating Identity certificates for VPN gateway ............................................................................................................................. 7 Internal address pool configuration ............................................................................................................................................ 12 Creating VPN policies ..................................................................................................................................................................... 15 Troubleshooting certificates......................................................................................................................................................... 16 Configuring certificate authentication ........................................................................................................................................ 20 Policy creation with Policy Tool using exported CA certificate ................................................................................................. 23 Adding internal DNS server address to policy ............................................................................................................................. 24

This covers any network-related configurations. This document uses Cisco ASA 5505 with software version 8. The configuration interface is Cisco ASDM (Adaptive Security Device Manager) version 6. It is assumed that the Cisco ASA basic configuration is in place. hostname. . See chapter Adding internal DNS server address to policy. DNS server address must be added to Nokia Mobile VPN policy. The document includes instructions for certificate-based authentication.cisco.com. This document explains the configuration of Cisco ASA for use with Nokia Mobile VPN Client. such as inside and outside interface assignments.0(3). To overcome DNS resolution problems.Interoperability note Introduction This configuration does not enable internal DNS server address request from ASA to Nokia Mobile VPN. These software updates are available from www.1(1). domain. default routes and so on. IP address configuration.

In the menu tree on the left. Click “Add” to import the CA certificate.Importing CA certificate First a new CA certificate is imported to the VPN gateway. navigate to “Certificate Management” -> “CA Certificates”. . Click the Configuration tab and select “Remote Access VPN”.

Browse the certificate file and click “Install”.Click “Browse” to select the certificate file. . You can also use other options in the dialog box for certificate import.

Click “Install Certificate” to complete the import. .

Creating Identity certificates for VPN gateway Navigate to “Identity Certificates” menu entry. . Select the “Add a new identity certificate” option. Click “Add”. . Click “New” to generate a keypair.

Click OK. L and CN. . Click “Select” to add additional information to Subject DN.Keep all default settings and click “Generate Now”. C. Attribute fields are fulfilled as O.

select the pending request and click “Install”. You need to sign this with the Certificate Authority we imported in previous steps. The status of the identity certificate is now “Pending”. When you have the signed certificate. You are prompted to choose a location and the file name where to save the Certificate Signing Request (CSR).Click “Add Certificate”. .

You can select the other option and paste the certificate contents directly. Browse to the location and the file where the signed certificate is stored.In this example. . Click “Install Certificate” to complete the import. if you prefer. we select “Install from a file”. Click “Install ID certificate file”.

the installation should be complete and should look something like this.At this point. .

Internal address pool configuration Navigate to Network (Client) Access -> Address Assignment -> Address Pools. starting and ending IP addresses. This address pool must not conflict with any other network object. and the subnet mask. Click OK to close. . Click “Add” to create a new address pool to be used for internal address assignment. Enter a name for the pool. Be careful to not define the addresses from the same range as any of the gateway interfaces.

Highlight the DfltGrpPolicy (System Default) and click “Edit”. .Navigate to “Network (Client) Access” -> Group policies. Click “Select” to assign the address pool.

Navigate to “Servers”. . Click OK.Select the previously defined IA_pool and click “Assign”. This will be handed out to client. Click OK to close the DfltGrpPolicy properties dialog. It allows internal DNS resolutions. Enter the DNS server address in the “DNS Servers” field.

Check outside interface to “Allow Access” for IPsec access.Creating VPN policies Navigate to “Network (Client) Access” -> “IPsec Connection Profiles”. . Highlight DefaultRAGroup and click “Edit”.

The issue can be circumvented by editing the configuration file manually. enter the “Pre-shared Key”. . Cisco configuration seems to require that. By default.In the “IKE Peer Authentication” section. In the Identity Certificate. Click OK. This string can be anything. Note that the actual hex data will be different for you in real use. The demo certificates used in this document represent their own unique hex data. In “Client Address Assignment” section. select the IA_pool created earlier for the “Client Address Pools” field. this prevents them from being seen and/or verified against each other. Troubleshooting certificates There is an issue with ASDM configuration UI that causes the CA certificate and the device identity certificate to be placed in different TrustPoints. select the device certificate requested in earlier steps.

We need to edit this so that both of the hex blocks are in the same TrustPoint. The lower block is the signed device identity certificate. Note that the certificate “id” (013d) and the actual TrustPoint number may vary in your config. The upper block of hex data is the CA certificate. enter the following commands: # configure terminal . view the running configuration by entering: # show running-config. There are various ways to accomplish this. in this case TrustPoint0. After this. Scroll the configuration file until you see the aforementioned blocks of hex data.The certificates in the configuration file looks like this. USING A TERMINAL CONNECTION When logged in and in the administrative-enabled mode. Copy the following data ASDM_TrustPoint1 (certificate 013d) hex content to the clipboard. There are two ASDM_TrustPoints configured. TrustPoint0 is the CA and TrustPoint1 is the ID-cert.

# crypto ca certificate chain ASDM_TrustPoint0 Then paste the edited hex content to the terminal. enter the command: # quit # exit # exit # write When this process is done. After this. it should look like this: . the certificates should be under the same TrustPoint and when viewing the running configuration.

.An alternative way to do the certificate fix is to copy the running configuration from the gateway and open it into a text editor. Then simply copy this block: Paste it in the ASDM_TrustPoint0 section so that the end result will be identical as in the previous end result sample.

Click “Add” to create a new IKE policy for RSA_SIG. Enter the details as follows and click OK. .Configuring certificate authentication Navigate to Network (Client) Access -> Advanced -> IPsec -> IKE Policies.

which are beyond the scope of this document.Navigate to Network (Client) Access -> Advanced -> IPsec -> Certificate to Connection Profile Maps -> Policy. You can set more advanced mappings via other options. . Uncheck other options except “Use the IKE identity to determine the group” and “Default to group”. This allows the certificate client to be mapped to the DefaultRAGroup profile.

Highlight DefaultRAGroup and click “Edit”.Navigate to “Network (Client) Access” -> “IPsec Connection Profiles”. select “Do not check”. REMEMBER TO APPLY & SAVE THE CONFIGURATION TO THE GATEWAY! . In the IKE Peer ID Validation. Open Advanced and select IPsec.

Select the Cisco_ASA_rsasig.pol policy from the Cisco/ASA directory. and the CA certificate is delivered separately in its own file. . Start the Nokia Mobile VPN Client Policy Tool and press the “Load Template” button. the PKCS#12 packet is used to deliver the device certificate. In this example. a device certificate and CA certificate for Nokia Mobile VPN Client must be available.Policy creation with Policy Tool using exported CA certificate Before the Nokia Mobile VPN Client policy can be created.

Go to Advanced View. Due to this. Do the same to the PKCS#12 packet.Add the correct VPN gateway address and get the path to your CA certificate. Adding internal DNS server address to policy With this configuration it is not possible to get internal DNS server address from Cisco ASA to Nokia Mobile VPN Client during IKE negotiation. Note that only select S60 3rd Edition. Once you have modified necessary fields mentioned in previous chapter. and select “Cert store” to be DEVICE instead of USER. internal DNS server address must be added to VPN client policy. open the IKE tree. select View -> Advanced view. Make sure the Format in Certificate Authority selection is set to BIN. Note that this is not needed if the CA certificate is part of the PKCS#12 packet. See the release notes for more information. Not having internal DNS server address will cause DNS name resolution to fail for intranet addresses. . If silent authentication is desired (the PIN code for the certificate is not requested). this option needs to be activated from the Advanced View. Feature Pack 1 devices support Device store.

. for details on how to install a given policy file to your device.vpn to your PC. Chapter 6.Click “IKE” in the left window and then DNS server IP address field is available on the right.1. Consult the Nokia Mobile VPN Client User’s Guide. press the Generate VPN Policy button. To export the VPN policy. Put your internal DNS server address there. and store Cisco_ASA rsasig.

com Middle East and Africa Dubai +971 4 3697600 • Email: mea@nokiaforbusiness. Nokia and Nokia Connecting People are registered trademarks of Nokia Corporation. Smarter. are made in relation to the accuracy. . either express or implied. White Plains. no warranties of any kind. 102 Corporate Park Drive. the implied warranties of merchantability and fitness for a particular purpose. Nokia reserves the right to make changes and improvements to any of the products described in this document without prior notice. Other product and company names mentioned herein may be trademarks or tradenames of their respective owners.com www.Legal Notice Reproduction. distribution or storage of part or all of the contents in this document in any form without the prior written permission of Nokia is prohibited. reserves the right to make changes and improvements to any of the products described in this document without prior notice. The contents of this document are provided “as is”. Nokia and Nokia Connecting People are trademarks or registered trademarks of Nokia Corporation. Work together. Nokia Inc. reliability or contents of this document. Nokia reserves the right to revise this document or withdraw it at any time without prior notice.com © 2008 Nokia. transfer. Except as required by applicable law. Nokia operates a policy of continuous development.com Europe France +33 170 708 166 • UK +44 161 601 8908 • Email: europe@nokiaforbusiness. but not limited to.com Asia Pacific Tel: +65 6588 33 64 • Email: asia@nokiaforbusiness. Other trademarks mentioned are the property of their respective owners. therefore. NY 10604 USA Americas Tel: 1 877 997 9199 • Email: usa@nokiaforbusiness.nokiaforbusiness. including. consequential or indirect damages howsoever caused. Under no circumstances shall Nokia be responsible for any loss of data or income or any special. All rights reserved. Nokia operates a policy of continuous development. incidental.