Before your enterprise network server can securely pass corporate information to the user’s device over IPSec VPN, you need to perform some steps so that your Adaptive Security Appliances (ASA) firewall recognizes the user’s device and trusts it belongs to an authorized user.

This is accomplished by authenticating the user and their device with an Identity Certificate provided from an external certificate authority (CA).

Regardless of the ASA firewall equipment or proprietary IPSec VPN being configured, the methodology is basically the same. If you understand the methodology, have the technical expertise, and have a strong understanding of the hardware and software needed to perform this, then it becomes much easier to configure and it ensures the user having a seamless experience using Remote Access VPN.

Integrate the Firewall with an External CA

First, your firewall must be integrated with an external CA so that it can trust that incoming Identity Certificates originated from a valid, trusted source that can be leveraged for authentication. Specifically, when configuring IPSec VPN for certificate authentication, the process includes:

  • Disabling the Local CA on the ASA firewall
  • Generating a Certificate Signing Request (CSR) on the ASA firewall
  • Installing the external CA’s certificate on the ASA firewall
  • Installing the Identity Certificate on the ASA firewall

Configure the Firewall for IPSec VPN Using Certificate Authentication

Once your firewall has been configured with an external CA and both the CA’s certificate and a corresponding firewall Identity Certificate have been added to the firewall, the remaining IPSec VPN settings can be configured. For IPSec VPN, the process includes:

  • Configuring Internet Key Exchange (IKE) policies
  • Selecting the mode of encryption
  • Configuring the tunnel properties and policies
  • Creating a new group policy
  • Defining IP addresses (pool) available VPN clients
  • Creating user accounts and group assignments
  • Associating all attributes to create an IPSec profile

Configure Workspace ONE UEM to Deploy an Identity Certificate and IPSec VPN Profile to Devices

At this point, IPSec VPN has been properly configured to allow devices to connect with certificates from an external CA. However, it would require a manual process for generating and deploying Identity Certificates to all devices, and also configuring the appropriate VPN settings on each. Automating this process with Workspace ONE UEM would entail:

  • Integrating Workspace ONE UEM with the external CA
  • Deploying an IPSec VPN and certificate profile to devices