So I have the problem described here (iOS5 refusing Cisco VPN client connection to ASG 8.202), obviously because the VPN CA certificate presented in
Remote Access -> Certificate Management -> Certificate Authority
has only a 1024 bit modulus. iOS5 seems to require that to be 2048 bits long (as well as having only SHA1 fingerprints instead of MD5 but we already fulfill that requirement).
Now the only way out seems to be regenerating the CA cert. I can do that from the "Advanced" tab.:
Here you can regenerate the VPN signing CA that was created during the initial setup of the unit. The VPN signing CA is the certificate authority with which digital certificates are signed that are used for remote access and site-to-site VPN connections. To ensure that VPN connections that use the old VPN signing CA are still working after the exchange of the signing CA, the old VPN signing CA will be kept as verification CA.
Caution! The device and all user certificates will be regenerated with the new signing CA. This may break current Site-to-Site VPN and Roadwarrior connections.
The two parts in bold seem to contradict each other.
We have several SSL-VPN-Users (OpenVPN) that rely on this connection. Will their ability to connect break once I regenerate the CA and until they re-download their configuration from the VPN user portal?
-- Paul
This thread was automatically locked due to age.
