cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
28385
Views
18
Helpful
37
Replies

ASK THE EXPERTS - Connect your iPhone/iPad via IPsec and SSLVPN

ciscomoderator
Community Manager
Community Manager

with Jason Gervia

Welcome  to the Cisco Networking Professionals Ask the  Expert conversation.  This is an opportunity to learn how you can extend your remote access  VPN capabilities to the various Apple IOS devices, including the iPad,  iPhone, and iTouch with Cisco expert Jason Gervia. Jason  is a Customer Support Engineer at the Cisco Technical Assistance Center  in North Carolina, where he has been for almost four years. He is  currently team lead of the VPN technology team. His area of expertise is  in the VPN and security realm, including Cisco IOS IPSec VPNs, public  key infrastructures, Cisco IOS SSL VPN, and Cisco Security Manager.  Jason holds CCIE Security certification 26894.

Remember to use the rating system to let Jason know if you have received an adequate response.

Jason  might not be able to  answer each question due to the volume expected  during this event.  Remember that you can continue the conversation on  the Security  discussion forums shortly after the event. This event lasts through February 11, 2011. Visit this forum often to view responses to your questions and the questions of other community members.

37 Replies 37

ok, if I'm using IPSec PSK (without certificates), is it enough secure? I mean the PSK can be known through the company and by an attacker, but I think IPSec is using session keys for encryption, so knowing the PSK is not a security problem or it is?

Can I manage which users can connect thorugh Radius or if you have the PSK you can connect?

Thanks

sding2006
Level 1
Level 1

Hi Jason,

Our VPN server has the following sh ver related to license

Licensed features for this platform:
Maximum Physical Interfaces  : Unlimited
Maximum VLANs                : 200      
Inside Hosts                 : Unlimited
Failover                     : Active/Active
VPN-DES                      : Enabled  
VPN-3DES-AES                 : Enabled  
Security Contexts            : 2        
GTP/GPRS                     : Disabled 
VPN Peers                    : 5000     
WebVPN Peers                 : 250      
AnyConnect for Mobile        : Disabled 
AnyConnect for Linksys phone : Disabled 
Advanced Endpoint Assessment : Disabled 
UC Proxy Sessions            : 2       

This platform has an ASA 5540 VPN Premium license.

We have both IPSec and SSL VPN configured. Will we be able to use the anyconnect client on iPhone/iPad etc? Do we have to buy the AnyConnect for Mobile license in oder to do that?

Thanks,

Shiling

Shiling,

You do need the AnyConnect for Mobile license in order to activate the feature (it's not a per seat license).

The license is

ASA-AC-M-55XX

where the 'XX' is the last 2 digits of your ASA model number - so for your ASA 5540 you would need an ASA-AC-M-5540 license.

You can read more about licensing here:

http://www.cisco.com/en/US/customer/prod/collateral/vpndevc/ps6032/ps6094/ps6120/overview_c78-527488.html

Or check the AnyConnect FAQ:

https://supportforums.cisco.com/docs/DOC-1361#Q_How_does_the_mobile_license_workordered

Shaun Bender
Level 4
Level 4

Hi,

Running AnyConnect(latest version) on Apple iOS devices, mainly iPod Touch, running iOS 4.2.1.

Connecting to an ASA 5510 running 8.3(1).

Have issued a certificate to the ASA and iPod Touch from our Windows 2008 R2 CA.

When setting an AnyConnect connection(on the iPod) to use Certificates, the following error is shown:

"The connection requires a client certificate but no matching certificates is configured.

Please modify this connection, choose a valid certificate and try again."

Has anyone else seen or have resolved this issue?

Also, what would be some things to check to help resolve this issue?

Thank

Shaun,

This error would seem  that you don't have the Root and/or Intermediate certificate(s) installed on the ASA and iPhone.

When doing certificate authentication, the ASA sends a message to the client (in this case, the iPhone) to tell the client what CA certificates the ASA  has installed so the client can choose what certificate to send to the ASA.

This error message seems to indicated that the ASA either doesn't have a CA certificate installed, or that the CA certificates being presented to the client don't match as being the issuer of the client's certificates, so it doesn't know which certificate to send to the ASA.

Check to make sure your phone and ASA have an ID certificate as well as the CA certificate of the Windows 2008 server that issued them installed.  If that looks correct, or if you still have issues after installing them:

Gather debugs on the ASA at the following levels from a connection attempt:

debug cry ca transaction 127

debug cry ca messages 127

debug cry ca 127

That should tell you why any PKI is failing.  If not, connect the ASAs running-configuration and I can take a look at the configuration to see if there is a misconfiguration.

--Jason

Hi Jason,

Here is what the debug output is showing:

# CERT API thread wakes up!

CRYPTO_PKI: Sorted chain size is: 1

CRYPTO_PKI: Found ID cert. serial number: 018E7EBC0548B528425E, subject name: c=US,cn=4EF445C1-4676-4D98-B309-D9E60C353D2B

CRYPTO_PKI: Verifying certificate with serial number: 018E7EBC0548B528425E, subject name: c=US,cn=4EF445C1-4676-4D98-B309-D9E60C353D2B, issuer_name: cn=Apple iPhone Device CA,ou=Apple iPhone,o=Apple Inc.,c=US.

CRYPTO_PKI: Checking to see if an identical cert is

already in the database...

CRYPTO_PKI(Cert Lookup) issuer="cn=Apple iPhone Device CA,ou=Apple iPhone,o=Apple Inc.,c=US" serial number=01 8e 7e bc 05 48 b5 28 42 5e                      |  ..~..H.(B^

CRYPTO_PKI: looking for cert in handle=ac78c848, digest=

f5 07 78 fc f6 99 ff 89 96 e1 3e cf a1 a4 75 11    |  ..x.......>...u.

CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND

CRYPTO_PKI: Cert not found in database.

CRYPTO_PKI: Looking for suitable trustpoints...

CRYPTO_PKI: crypto_pki_get_cert_record_by_subject()

CRYPTO_PKI: No suitable trustpoints found to validate certificate serial number: 018E7EBC0548B528425E, subject name: c=US,cn=4EF445C1-4676-4D98-B309-D9E60C353D2B, issuer name: cn=Apple iPhone Device CA,ou=Apple iPhone,o=Apple Inc.,c=US .

CRYPTO_PKI: No suitable TP status.

CRYPTO_PKI: cert validation failed to find trustpointCERT API thread sleeps!

On our iOS device, under the following:

General > Profile(name of profile used in iPhone Config utility--for SCEP) > *Profile* > More Details:

Signing Certificate:

iPhone Configuration…(text cut off)

Issued by: iPhone Configuration.... (text cut off)

Certificate:

(shows all the info issued from our internal CA)

On our internal CA it does show the certificate issused successfully along with a cert issued to the ASA.

However, I did notice this, not sure if it matters, when I exported the SCEP profile from the iPhone Configuration Utilty, I had the following turned on:

Iphone Configuration Utility:

Export Connfiguration Profile

Security: Signed Configuration Profile

Would the "Security" need to be set for "None" on the export?, would that be an issue?

I've attached a screen cap for a little better explaination of what is on my iOS device.

Thanks

Hi Jason,

I have this working now. I had the certs all messed up.  Once I redid all the certs things are working like a charm.

I used a Web Server cert on the ASA and a Client cert on the Apple devices.

Things are working great.

Thanks!

clausonna
Level 3
Level 3

How do the iPhone/iPad appear to the ASA's pre-login OS detection policy.  I assume its 'Mac', but is there a way (or a need?) to differentiate between a device running OSX vs iOS.  Does Host Scan support iOS, can I do certificate-based authentication, and does the Advanced Endpoint / Remediation ability work on Macs or iPads?

Thanks!

Clausonna,

You won't be able to do a pre-login check with clientless and the iPhone as CSD/hostscan is not supported on the iPhone currently - which means no AES as well.  You can do certificate authentication, though.


AES/CSD is supported on the MAC.

--Jason

Ok, but does an iPhone/iPad 'look' the same to the Pre-login policy?  Or are you saying that those devices just bypass Host Scan / Pre-login entirely, and just jump right to the authentication part?  How does that affect DAP?

I guess I'm concerned that a OSX Mac could connect but somehow bypass the pre-login checks if its able to spoof itself as an iPhone.  I also want to set myself up for the point where I have 'managed' and 'unmanaged' iPhones that VPN in, and have the ability to assign one policy / ACL / DHCP pool / whatever to the two different 'types' of devices.

Thanks.

clausonna,

pre-login:

iphone bypasses the pre-login policy (similar to if you cancel out of all the downloads to prevent hostscan from running on a pc) - you will be able to login with the iphone but it will not return any of the hostscan values due to not running hostscan.

DAP:

DAP isn't affected per se - it just won't return hostscan values other than AAA values (if using clientless).  Anyconnect will return, after login, the following:

endpoint.os.version="Apple Plugin"

If you bypass hostscan, I'm not sure how you would masquerade as another OS type - the OS detection doesn't appear to be using the HTTP user agent for checking.  I can try to find out how we check for the OS if hostscan is not running - but the information may be proprietary.

As far as managed vs unmanaged iphone types - there is not really any way without hostscan to tell one iphone from another, you'd have to either set up a different tunnel group for your managed vs unmanaged iphones, but that depends on the users to make a decision.

Jason - I'm also trying to get my DAP policies to get a match on the LUA EVAL statement. When I turn on DAP debugging (error and trace) I see the following:

DAP_TRACE: dap_add_csd_data_to_lua:endpoint.feature="failure"
DAP_TRACE: name = endpoint.feature, value = "failure"
DAP_TRACE: dap_add_csd_data_to_lua:endpoint.os.version="Apple Plugin"  <<-----------
DAP_TRACE: name = endpoint.os.version, value = "Apple Plugin"
DAP_TRACE: Username: xxxxxx, Selected DAPs:
DAP_TRACE: dap_process_selected_daps: selected 0 records
DAP_TRACE: Username: xxxxxx, dap_aggregate_attr: rec_count = 1
DAP_TRACE: Username: xxxxxx, Selected DAPs: DfltAccessPolicy
DAP_TRACE: Username: xxxxxx, DAP_close: 761406E8

I've tried to get the Lua to match using the exact same string that I see coming back from the debug. My Lua check looks like this:

EVAL(endpoint.os.version, "EQ", "Apple Plugin", “STRING") I've also tried "NE" just trying to get something to match but it doesn't seem to match even when I use the NE value even though I'm using the exact returned value.

For this specific check (I have several other checks) I have no other entries in this specific DAP policy, such as checking for a AAA attribute or endpoint attribute, just this one lua check and it keeps coming back as failing so my connection fails. I really need to match on something unique on the iPad, just having a hard time finding something that makes it unique.

I have a cert on the machine that I was trying to do some cert to ssl vpn connection profile mapping but was not able to get that to work either. I'm about out of ideas on this one...

Thanks,

Bruce

Bruce,

2 things - this check won't work if you're using an anyconnect essentials license.

It can also be related to the  the following bug:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=csctj46900

Which is fixed in the 8.2(4),  8.3(2)13  and 8.4(1) code on CCO.

--Jason

Thanks Jason for the response. I am running the Essentials licsense, and thanks for the update on the bug. I'm probably running into this one because I am running 8.3(2)12. I'll probably try to get the 8.4(1) version which is on the download page. Are there any other issues with DAP in 8.4 that I should be aware of from a DAP standpoint? I'll review the release notes and if it looks good probably get this upgraded and tested. Thanks again.

Bruce

joe-vieira
Level 1
Level 1

Hi Jason,

We currently have ASAs 5520 for our SSL VPN needs. We use AnyConnect for company laptops that have to meet posture requirements and clientless for user's Home PCs. We now have a requirement to test iPhone ssl vpn connections. The clientless version doesn't work because it doesn't support java to connect to terminal servers after authentication. I need information on how to configure the ASAs for iPhone using AnyConnect. Do we need to add a new profile?

Thanks

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: