Nokia Mobile VPN

How to configure Nokia Mobile VPN for Cisco ASA with certificate based authentication

Table of Contents

Interoperability note ....................................................................................................................................................................... 3 Introduction...................................................................................................................................................................................... 3 Importing CA certificate................................................................................................................................................................... 4 Creating Identity certificates for VPN gateway ............................................................................................................................. 7 Internal address pool configuration ............................................................................................................................................ 12 Creating VPN policies ..................................................................................................................................................................... 15 Troubleshooting certificates......................................................................................................................................................... 16 Configuring certificate authentication ........................................................................................................................................ 20 Policy creation with Policy Tool using exported CA certificate ................................................................................................. 23 Adding internal DNS server address to policy ............................................................................................................................. 24

Interoperability note Introduction

This configuration does not enable internal DNS server address request from ASA to Nokia Mobile VPN. To overcome DNS resolution problems, DNS server address must be added to Nokia Mobile VPN policy. See chapter Adding internal DNS server address to policy.

This document explains the configuration of Cisco ASA for use with Nokia Mobile VPN Client. The document includes instructions for certificate-based authentication. It is assumed that the Cisco ASA basic configuration is in place. This covers any network-related configurations, such as inside and outside interface assignments, IP address configuration, hostname, domain, default routes and so on. This document uses Cisco ASA 5505 with software version 8.0(3). The configuration interface is Cisco ASDM (Adaptive Security Device Manager) version 6.1(1).

These software updates are available from www.cisco.com.

Importing CA certificate
First a new CA certificate is imported to the VPN gateway.

Click the Configuration tab and select Remote Access VPN.

In the menu tree on the left, navigate to Certificate Management -> CA Certificates. Click Add to import the CA certificate.

Click Browse to select the certificate file. You can also use other options in the dialog box for certificate import.

Browse the certificate file and click Install.

Click Install Certificate to complete the import.

Creating Identity certificates for VPN gateway

Navigate to Identity Certificates menu entry. Click Add.

. Select the Add a new identity certificate option. Click New to generate a keypair.

Keep all default settings and click Generate Now.

Click Select to add additional information to Subject DN.

Attribute fields are fulfilled as O, C, L and CN. Click OK.

Click Add Certificate.

You are prompted to choose a location and the file name where to save the Certificate Signing Request (CSR). You need to sign this with the Certificate Authority we imported in previous steps.

The status of the identity certificate is now Pending. When you have the signed certificate, select the pending request and click Install.

In this example, we select Install from a file. You can select the other option and paste the certificate contents directly, if you prefer.

Browse to the location and the file where the signed certificate is stored. Click Install ID certificate file.

Click Install Certificate to complete the import.

At this point, the installation should be complete and should look something like this.

Internal address pool configuration

Navigate to Network (Client) Access -> Address Assignment -> Address Pools. Click Add to create a new address pool to be used for internal address assignment.

Enter a name for the pool, starting and ending IP addresses, and the subnet mask. This address pool must not conflict with any other network object. Be careful to not define the addresses from the same range as any of the gateway interfaces. Click OK to close.

Navigate to Network (Client) Access -> Group policies. Highlight the DfltGrpPolicy (System Default) and click Edit.

Click Select to assign the address pool.

Select the previously defined IA_pool and click Assign. Click OK.

Navigate to Servers. Enter the DNS server address in the DNS Servers field. This will be handed out to client. It allows internal DNS resolutions. Click OK to close the DfltGrpPolicy properties dialog.

Creating VPN policies

Navigate to Network (Client) Access -> IPsec Connection Profiles. Check outside interface to Allow Access for IPsec access. Highlight DefaultRAGroup and click Edit.

In the IKE Peer Authentication section, enter the Pre-shared Key. This string can be anything, Cisco configuration seems to require that. In the Identity Certificate, select the device certificate requested in earlier steps. In Client Address Assignment section, select the IA_pool created earlier for the Client Address Pools field. Click OK.

Troubleshooting certificates
There is an issue with ASDM configuration UI that causes the CA certificate and the device identity certificate to be placed in different TrustPoints. By default, this prevents them from being seen and/or verified against each other. The issue can be circumvented by editing the configuration file manually. Note that the actual hex data will be different for you in real use. The demo certificates used in this document represent their own unique hex data.

The certificates in the configuration file looks like this. The upper block of hex data is the CA certificate. The lower block is the signed device identity certificate. There are two ASDM_TrustPoints configured. TrustPoint0 is the CA and TrustPoint1 is the ID-cert. We need to edit this so that both of the hex blocks are in the same TrustPoint, in this case TrustPoint0. There are various ways to accomplish this. USING A TERMINAL CONNECTION When logged in and in the administrative-enabled mode, view the running configuration by entering: # show running-config. Scroll the configuration file until you see the aforementioned blocks of hex data. Copy the following data ASDM_TrustPoint1 (certificate 013d) hex content to the clipboard. Note that the certificate id (013d) and the actual TrustPoint number may vary in your config.

After this, enter the following commands: # configure terminal

# crypto ca certificate chain ASDM_TrustPoint0 Then paste the edited hex content to the terminal. After this, enter the command: # quit # exit # exit # write When this process is done, the certificates should be under the same TrustPoint and when viewing the running configuration, it should look like this:

An alternative way to do the certificate fix is to copy the running configuration from the gateway and open it into a text editor. Then simply copy this block:

Paste it in the ASDM_TrustPoint0 section so that the end result will be identical as in the previous end result sample.

Configuring certificate authentication

Navigate to Network (Client) Access -> Advanced -> IPsec -> IKE Policies. Click Add to create a new IKE policy for RSA_SIG.

Enter the details as follows and click OK.

Navigate to Network (Client) Access -> Advanced -> IPsec -> Certificate to Connection Profile Maps -> Policy. Uncheck other options except Use the IKE identity to determine the group and Default to group. This allows the certificate client to be mapped to the DefaultRAGroup profile. You can set more advanced mappings via other options, which are beyond the scope of this document.

Navigate to Network (Client) Access -> IPsec Connection Profiles. Highlight DefaultRAGroup and click Edit. Open Advanced and select IPsec. In the IKE Peer ID Validation, select Do not check.

REMEMBER TO APPLY & SAVE THE CONFIGURATION TO THE GATEWAY!

Policy creation with Policy Tool using exported CA certificate

Before the Nokia Mobile VPN Client policy can be created, a device certificate and CA certificate for Nokia Mobile VPN Client must be available. In this example, the PKCS#12 packet is used to deliver the device certificate, and the CA certificate is delivered separately in its own file. Start the Nokia Mobile VPN Client Policy Tool and press the Load Template button. Select the Cisco_ASA_rsasig.pol policy from the Cisco/ASA directory.

Add the correct VPN gateway address and get the path to your CA certificate. Note that this is not needed if the CA certificate is part of the PKCS#12 packet. Make sure the Format in Certificate Authority selection is set to BIN. Do the same to the PKCS#12 packet. If silent authentication is desired (the PIN code for the certificate is not requested), this option needs to be activated from the Advanced View. Go to Advanced View, open the IKE tree, and select Cert store to be DEVICE instead of USER. Note that only select S60 3rd Edition, Feature Pack 1 devices support Device store. See the release notes for more information.

Adding internal DNS server address to policy

With this configuration it is not possible to get internal DNS server address from Cisco ASA to Nokia Mobile VPN Client during IKE negotiation. Not having internal DNS server address will cause DNS name resolution to fail for intranet addresses. Due to this, internal DNS server address must be added to VPN client policy. Once you have modified necessary fields mentioned in previous chapter, select View -> Advanced view.

Click IKE in the left window and then DNS server IP address field is available on the right. Put your internal DNS server address there.

To export the VPN policy, press the Generate VPN Policy button, and store Cisco_ASA rsasig.vpn to your PC. Consult the Nokia Mobile VPN Client Users Guide, Chapter 6.1, for details on how to install a given policy file to your device.

Legal Notice
Reproduction, transfer, distribution or storage of part or all of the contents in this document in any form without the prior written permission of Nokia is prohibited. Nokia and Nokia Connecting People are trademarks or registered trademarks of Nokia Corporation. Other product and company names mentioned herein may be trademarks or tradenames of their respective owners. Nokia operates a policy of continuous development. Nokia reserves the right to make changes and improvements to any of the products described in this document without prior notice. Under no circumstances shall Nokia be responsible for any loss of data or income or any special, incidental, consequential or indirect damages howsoever caused. The contents of this document are provided as is. Except as required by applicable law, no warranties of any kind, either express or implied, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose, are made in relation to the accuracy, reliability or contents of this document. Nokia reserves the right to revise this document or withdraw it at any time without prior notice.

Work together. Smarter.

Nokia Inc. 102 Corporate Park Drive, White Plains, NY 10604 USA Americas Tel: 1 877 997 9199 Email: usa@nokiaforbusiness.com Asia Pacific Tel: +65 6588 33 64 Email: asia@nokiaforbusiness.com Europe France +33 170 708 166 UK +44 161 601 8908 Email: europe@nokiaforbusiness.com Middle East and Africa Dubai +971 4 3697600 Email: mea@nokiaforbusiness.com www.nokiaforbusiness.com
2008 Nokia. All rights reserved. Nokia and Nokia Connecting People are registered trademarks of Nokia Corporation. Other trademarks mentioned are the property of their respective owners. Nokia operates a policy of continuous development, therefore, reserves the right to make changes and improvements to any of the products described in this document without prior notice.