Nokia Mobile VPN How to configure Nokia Mobile VPN for Cisco ASA with certificate based authentication

Table of Contents Interoperability note ....................................................................................................................................................................... 3 Introduction...................................................................................................................................................................................... 3 Importing CA certificate................................................................................................................................................................... 4 Creating Identity certificates for VPN gateway............................................................................................................................. 7 Internal address pool configuration ............................................................................................................................................12 Creating VPN policies .....................................................................................................................................................................15 Troubleshooting certificates.........................................................................................................................................................16 Configuring certificate authentication ........................................................................................................................................20 Policy creation with Policy Tool using exported CA certificate .................................................................................................23 Adding internal DNS server address to policy .............................................................................................................................24

Interoperability note This configuration does not enable internal DNS server address request from ASA to Nokia Mobile VPN. To overcome DNS resolution problems, DNS server address must be added to Nokia Mobile VPN policy. See chapter Adding internal DNS server address to policy.

Introduction This document explains the configuration of Cisco ASA for use with Nokia Mobile VPN Client. The document includes instructions for certificate-based authentication. It is assumed that the Cisco ASA basic configuration is in place. This covers any network-related configurations, such as inside and outside interface assignments, IP address configuration, hostname, domain, default routes and so on. This document uses Cisco ASA 5505 with software version 8.0(3). The configuration interface is Cisco ASDM (Adaptive Security Device Manager) version 6.1(1).

These software updates are available from www.cisco.com.

Importing CA certificate First a new CA certificate is imported to the VPN gateway.

Click the Configuration tab and select “Remote Access VPN”.

In the menu tree on the left, navigate to “Certificate Management” -> “CA Certificates”. Click “Add” to import the CA certificate.

Click “Browse” to select the certificate file. You can also use other options in the dialog box for certificate import.

Browse the certificate file and click “Install”.

Click “Install Certificate” to complete the import.

Creating Identity certificates for VPN gateway

Navigate to “Identity Certificates” menu entry. Click “Add”.

.

Select the “Add a new identity certificate” option. Click “New” to generate a keypair.

Keep all default settings and click “Generate Now”.

Click “Select” to add additional information to Subject DN.

Attribute fields are fulfilled as O, C, L and CN. Click OK.

Click “Add Certificate”.

You are prompted to choose a location and the file name where to save the Certificate Signing Request (CSR). You need to sign this with the Certificate Authority we imported in previous steps.

The status of the identity certificate is now “Pending”. When you have the signed certificate, select the pending request and click “Install”.

In this example, we select “Install from a file”. You can select the other option and paste the certificate contents directly, if you prefer.

Browse to the location and the file where the signed certificate is stored. Click “Install ID certificate file”.

Click “Install Certificate” to complete the import.

At this point, the installation should be complete and should look something like this.

Internal address pool configuration

Navigate to Network (Client) Access -> Address Assignment -> Address Pools. Click “Add” to create a new address pool to be used for internal address assignment.

Enter a name for the pool, starting and ending IP addresses, and the subnet mask. This address pool must not conflict with any other network object. Be careful to not define the addresses from the same range as any of the gateway interfaces. Click OK to close.

Navigate to “Network (Client) Access” -> Group policies. Highlight the DfltGrpPolicy (System Default) and click “Edit”.

Click “Select” to assign the address pool.

Select the previously defined IA_pool and click “Assign”. Click OK.

Navigate to “Servers”. Enter the DNS server address in the “DNS Servers” field. This will be handed out to client. It allows internal DNS resolutions. Click OK to close the DfltGrpPolicy properties dialog.

Creating VPN policies

Navigate to “Network (Client) Access” -> “IPsec Connection Profiles”. Check outside interface to “Allow Access” for IPsec access. Highlight DefaultRAGroup and click “Edit”.

In the “IKE Peer Authentication” section, enter the “Pre-shared Key”. This string can be anything, Cisco configuration seems to require that. In the Identity Certificate, select the device certificate requested in earlier steps. In “Client Address Assignment” section, select the IA_pool created earlier for the “Client Address Pools” field. Click OK.

Troubleshooting certificates

There is an issue with ASDM configuration UI that causes the CA certificate and the device identity certificate to be placed in different TrustPoints. By default, this prevents them from being seen and/or verified against each other. The issue can be circumvented by editing the configuration file manually. Note that the actual hex data will be different for you in real use. The demo certificates used in this document represent their own unique hex data.

The certificates in the configuration file looks like this. The upper block of hex data is the CA certificate. The lower block is the signed device identity certificate. There are two ASDM_TrustPoints configured. TrustPoint0 is the CA and TrustPoint1 is the ID-cert. We need to edit this so that both of the hex blocks are in the same TrustPoint, in this case TrustPoint0. There are various ways to accomplish this. USING A TERMINAL CONNECTION When logged in and in the administrative-enabled mode, view the running configuration by entering: # show running-config. Scroll the configuration file until you see the aforementioned blocks of hex data. Copy the following data ASDM_TrustPoint1 (certificate 013d) hex content to the clipboard. Note that the certificate “id” (013d) and the actual TrustPoint number may vary in your config.

After this, enter the following commands: # configure terminal

# crypto ca certificate chain ASDM_TrustPoint0 Then paste the edited hex content to the terminal. After this, enter the command: # quit # exit # exit # write When this process is done, the certificates should be under the same TrustPoint and when viewing the running configuration, it should look like this:

An alternative way to do the certificate fix is to copy the running configuration from the gateway and open it into a text editor. Then simply copy this block:

Paste it in the ASDM_TrustPoint0 section so that the end result will be identical as in the previous end result sample.

Configuring certificate authentication

Navigate to Network (Client) Access -> Advanced -> IPsec -> IKE Policies. Click “Add” to create a new IKE policy for RSA_SIG.

Enter the details as follows and click OK.

Navigate to Network (Client) Access -> Advanced -> IPsec -> Certificate to Connection Profile Maps -> Policy. Uncheck other options except “Use the IKE identity to determine the group” and “Default to group”. This allows the certificate client to be mapped to the DefaultRAGroup profile. You can set more advanced mappings via other options, which are beyond the scope of this document.

Navigate to “Network (Client) Access” -> “IPsec Connection Profiles”. Highlight DefaultRAGroup and click “Edit”. Open Advanced and select IPsec. In the IKE Peer ID Validation, select “Do not check”.

REMEMBER TO APPLY & SAVE THE CONFIGURATION TO THE GATEWAY!

Policy creation with Policy Tool using exported CA certificate Before the Nokia Mobile VPN Client policy can be created, a device certificate and CA certificate for Nokia Mobile VPN Client must be available. In this example, the PKCS#12 packet is used to deliver the device certificate, and the CA certificate is delivered separately in its own file. Start the Nokia Mobile VPN Client Policy Tool and press the “Load Template” button. Select the Cisco_ASA_rsasig.pol policy from the Cisco/ASA directory.

Add the correct VPN gateway address and get the path to your CA certificate. Note that this is not needed if the CA certificate is part of the PKCS#12 packet. Make sure the Format in Certificate Authority selection is set to BIN. Do the same to the PKCS#12 packet. If silent authentication is desired (the PIN code for the certificate is not requested), this option needs to be activated from the Advanced View. Go to Advanced View, open the IKE tree, and select “Cert store” to be DEVICE instead of USER. Note that only select S60 3rd Edition, Feature Pack 1 devices support Device store. See the release notes for more information.

Adding internal DNS server address to policy With this configuration it is not possible to get internal DNS server address from Cisco ASA to Nokia Mobile VPN Client during IKE negotiation. Not having internal DNS server address will cause DNS name resolution to fail for intranet addresses. Due to this, internal DNS server address must be added to VPN client policy. Once you have modified necessary fields mentioned in previous chapter, select View -> Advanced view.

Click “IKE” in the left window and then DNS server IP address field is available on the right. Put your internal DNS server address there.

To export the VPN policy, press the Generate VPN Policy button, and store Cisco_ASA rsasig.vpn to your PC. Consult the Nokia Mobile VPN Client User’s Guide, Chapter 6.1, for details on how to install a given policy file to your device.

Work together. Smarter. Nokia Inc. Nokia Inc. Nokia Inc. Nokia Inc. 102 Corporate Park Drive, White Plains, NY 10604 USA AmericasAmericasAmericasAmericas Tel: 1 877 997 9199 • Email: usa@nokiaforbusiness.com Asia PacificAsia PacificAsia PacificAsia Pacific Tel: +65 6588 33 64 • Email: asia@nokiaforbusiness.com Europe Europe Europe Europe France +33 170 708 166 • UK +44 161 601 8908 • Email: europe@nokiaforbusiness.com Middle East and Africa Middle East and Africa Middle East and Africa Middle East and Africa Dubai +971 4 3697600 • Email: mea@nokiaforbusiness.com

www.nokiaforbusiness.com

© 2008 Nokia. All rights reserved. Nokia and Nokia Connecting People are registered trademarks of Nokia Corporation. Other trademarks mentioned are the property of their respective owners. Nokia operates a policy of continuous development, therefore, reserves the right to make changes and improvements to any of the products described in this document without prior notice.

Legal Notice

Reproduction, transfer, distribution or storage of part or all of the contents in this document in any form without the prior written permission of Nokia is prohibited.

Nokia and Nokia Connecting People are trademarks or registered trademarks of Nokia Corporation. Other product and company names mentioned herein may be trademarks or tradenames of their respective owners.

Nokia operates a policy of continuous development. Nokia reserves the right to make changes and improvements to any of the products described in this document without prior notice.

Under no circumstances shall Nokia be responsible for any loss of data or income or any special, incidental, consequential or indirect damages howsoever caused.

The contents of this document are provided “as is”. Except as required by applicable law, no warranties of any kind, either express or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose, are made in relation to the accuracy, reliability or contents of this document. Nokia reserves the right to revise this document or withdraw it at any time without prior notice.