71-7
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter71 Configuring Easy VPN Services on the ASA 5505
Specifying the Tunnel Group or Trustpoint
Specifying the Tunnel Group
Enter the following command in global configuration mode to specify the name of the VPN tunnel group
and password for the Easy VPN client connection to the server:
vpnclient vpngroup group_name password preshared_key
group_name is the name of the VPN tunnel group configured on the Easy VPN server. You must
configure this tunnel group on the server before establishing a connection.
preshared_key is the IKE pre-shared key used for authentication on the Easy VPN server.
For example, enter the following command to identify the VPN tunnel group named TestGroup1 and the
IKE preshared key my_key123.
hostname(config)# vpnclient vpngroup TestGroup1 password my_key123
hostname(config)#
To remove the attribute from the running configuration, enter the following command:
no vpnclient vpngroup
If the configuration of the ASA 5505 running as an Easy VPN client does not specify a tunnel group, the
client attempts to use an RSA certificate.
For example:
hostname(config)# no vpnclient vpngroup
hostname(config)#
Specifying the Trustpoint
A trustpoint represents a CA identity, and possibly a device identity, based on a certificate the CA issues.
These parameters specify how the ASA obtains its certificate from the CA and define the authentication
policies for user certificates issued by the CA.
First define the trustpoint using the crypto ca trustpoint command, as described in “Configuring
Trustpoints” section on page41-10. Then enter the following command in global configuration mode to
name the trustpoint identifying the RSA certificate to use for authentication:
vpnclient trustpoint trustpoint_name [chain]
trustpoint_name names the trustpoint identifying the RSA certificate to use for authentication.
(Optional) chain sends the entire certificate chain.
For example, enter the following command to specify the identity certificate named central and send the
entire certificate chain:
hostname(config)# crypto ca trustpoint central
hostname(config)# vpnclient trustpoint central chain
hostname(config)#
To remove the attribute from the running configuration, enter the following command:
no vpnclient trustpoint
For example: