User profile for user: ae_phoenix
ae_phoenix Author
User level: Level 1
0 points

Cisco ASA, iPhone VPN, certificates

I have been trying to get the iPhone to connect to our VPN for several months without success. I have worked with support and am now turning to the forums for help.

We are using a Cisco ASA with a certificate signed by our internal corporate CA. We also use user certificates for authentication. I created a VPN connection profile in iPCU and verified the hostname of the ASA is in the ASA certificate's SubjectName and SubjectAltName fields. I imported my user certificate in pfx format with a password and our corporate root and intermediary CA certificates in cer format. I sent the profile to my iPhone and it installed without an issue, but when I try to connect I get an unable to validate server certificate error. I enabled the logging tab in iPCU and captured the VPN logs, but there aren't any errors listed in the file. I see the handshake occur, but after sending 3 sets of information the connection is terminated by the iphone. I believe that the iPhone VPN client is performing a check on something and is failing, but I have no visibility into it. The ASA logs show that my iPhone connects and then requests a disconnect. I have the exact same VPN information in my Mac and Windows Cisco VPN client and they work without issue. If anyone can help shed light on this vexing problem, it would be greatly appreciated. Thanks.

MBP, Mac OS X (10.5.6)

Posted on Mar 11, 2009 8:04 AM

Reply
7 replies
User profile for user: ae_phoenix
ae_phoenix Author
User level: Level 1
0 points

Nov 12, 2009 5:23 AM in response to ae_phoenix

There were several issues that caused this not to work.

1. The certificate on our concentrator was built incorrectly. We needed the hostname as the first value in the subjectalternate field. The administrator had added the value to that field, but in the certificate configurator for Cisco it allowed multiple values in that field and the hostname was second. We made the hostname first and it corrected that piece of the puzzle.
2. The certificates used in the iPhone profile needed to be in a specific format as well. I needed our root and intermediate certificates from our corporate CA in cer format. I also needed my personal certificate in pfx format (we use certificate authentication on our VPN). I added those to the profile and selected the personal cert as the authentication type for the VPN.

Now all is working. I hope this helps someone else in this situation.
Reply
User profile for user: ae_phoenix
ae_phoenix Author
User level: Level 1
0 points

Nov 12, 2009 5:23 AM in response to ae_phoenix

There were several issues that caused this not to work.

1. The certificate on our concentrator was built incorrectly. We needed the hostname as the first value in the subjectalternate field. The administrator had added the value to that field, but in the certificate configurator for Cisco it allowed multiple values in that field and the hostname was second. We made the hostname first and it corrected that piece of the puzzle.
2. The certificates used in the iPhone profile needed to be in a specific format as well. I needed our root and intermediate certificates from our corporate CA in cer format. I also needed my personal certificate in pfx format (we use certificate authentication on our VPN). I added those to the profile and selected the personal cert as the authentication type for the VPN.

Now all is working. I hope this helps someone else in this situation.
Reply
User profile for user: PVi1
PVi1
User level: Level 1
0 points

Nov 30, 2009 3:10 AM in response to ae_phoenix

ae_phoenix: Hello, please could you post more info about your iphone Cisco IPSec VPN client configuration?
I am trying to get work my vpn with cisco ipsec vpn client and linux openswan server with certificate authentication. I have generated CA,vpn server and cisco client certificate, type X.509, and cisco client identity in pkcs12 format. After that i have imported pkcs12,CA and vpn server certificates to my iphone.
In cisco VPN client a have filled in fields: description,host, use certificates=1 and selected imported client identity.
Username and password fields left blank.
When i try to connect to my vpn server i can see in its log messages like "ISAKMP SA established" and "XAUTH sending username and password".After that connection failed.
In earlier phase before ISAKMP SA is established the are messages like XAUTHinitRSA and i can see that authorization is based on my client identity certificates.
What does it mean? Is it required to use username/password authentication together with certificate authentication?

Thanks in advance.

Peter.
Reply
User profile for user: adam-appleuser
adam-appleuser
User level: Level 1
1 points

Dec 9, 2009 9:59 AM in response to ae_phoenix

I finally managed to get this working too, but it only seems to work when you use DNS names on the phone's IPSec client, not the public IP address of the ASA. The iPhone actually needs to authenticate the ASA during the negotiation, and the hostname of the ASA needs to appear in either the CN field or the SAN field in it's cert for the mutual authentication to happen, not it's IP address. I suspect that the iPhone is trying to match the FQDN it used to reach the ASA with one of the fields in the ASA's public certificate before it will allow itself to connect.

The other thing to note is that it seems that the group-name you configure on the ASA may need to match the OU field in the iPhone's id certificate. I haven't had a chance to play around with that in much detail as I suspect that this is configurable.

I've an ASA 5540 running v8.2 & a Win 2003 CA server in a lab, and an iPhone 3GS running v3.1.2

This seems to be the relevant config from the ASA:

crypto ca trustpoint your-label
enrollment terminal
subject-name CN=your-asa-hostname,OU=vpn-groupname,O=your-org
fqdn your-asa-hostname.your-domain.com
ip-address <your-ip>
keypair your-asa-rsa-key
client-types ipsec
ignore-ipsec-keyusage
id-usage ssl-ipsec

crypto ca authenticate your-label
<your ca's root cert here>

crypto ca enroll your-label
<the usual commands here>

crypto ca import your-label
<the usual commands here>


crypto isakmp identity hostname

crypto ca certificate map DefaultCertificateMap 1
issuer-name co your-ca

tunnel-group-map DefaultCertificateMap 1 your-label

crypto isakmp policy 10
authentication rsa-sig
...
Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Cisco ASA, iPhone VPN, certificates

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up