View Cart
0 Items | Total: US$0.00
Welcome,      Register

You are here

SEC0017 - ASA EZVPN with Pre-Shared Key & Certificate

Average: 5 (1 vote)
Difficulty Level: 
Lab Document: 
<Please login to see the content>

The video walks you through configuration of Easy VPN (EZVPN) with Pre-shared key and certificate authentication on a Cisco headend ASA firewall. The hardware client router is running Client Mode and configured to automatically connect using a locally stored credential. This video is a counterpart of SEC0015 and SEC0016 with the headend router. Here we introduce the concept of 'group-policy' and 'tunnel-group' that are unique to the ASA, while most crypto command syntax is very similar to those on a router.

Topic includes
  • EZVPN Client Mode with Pre-Shared Key and XAuth
  • EZVPN Hardware Client
  • Automatic Connect, Local Credential, Splitted-Tunnel
  • Router Certificate Import
  • 'tunnel-group' and 'policy-group' configuration
  • ExtendedUsage field on a certificate issued by Microsoft CA 2008 may not be recognized by an ASA. A command 'ignore-ipsec-keyusage' might be needed under 'crypto ca'
  • Similar to a router, by default, EZVPN client must have a certificate with OU=<EZVPN Group Name>

About Author

Metha Cheiwanichakorn, CCIE#23585 (RS, Sec, SP), is a Cisco networking enthusiast with years of experience in the industry. He is currently working as a consulting engineer for a Cisco partner. As a founder of and an instructor at, Metha enjoys learning and challenges himself with new Cisco technologies.



I am trying to follow this video stuck on user auth via certificate. Could you please guide me on how to create CER with OU as shown in your video? I am using Windows Server 2012 CA standalone. I had tried using OpenSSL > KEY > CSR > CER steps, however user doesn't include OU or department info from AD.

My user cert include or misses the following info in the top section.
Common name: Users + user1
Department: it's blank
Company: it's blank
State: it's blank
Country: it's blank

Please assist.
Thank you.
Muhammad Khan

To get user info on the cert, he CA needs to run Enterprise and not standalone mode. You then can specify cert attributes under certificate template. We have several videos on Microsoft CA under Security > Certificate section