Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
28697
Views
18
Helpful
37
Replies

ASK THE EXPERTS - Connect your iPhone/iPad via IPsec and SSLVPN

ciscomoderator
Community Manager
Community Manager

‎01-31-2011 10:47 AM - edited ‎02-21-2020 05:08 PM

with Jason Gervia

Welcome  to the Cisco Networking Professionals Ask the  Expert conversation.  This is an opportunity to learn how you can extend your remote access  VPN capabilities to the various Apple IOS devices, including the iPad,  iPhone, and iTouch with Cisco expert Jason Gervia. Jason  is a Customer Support Engineer at the Cisco Technical Assistance Center  in North Carolina, where he has been for almost four years. He is  currently team lead of the VPN technology team. His area of expertise is  in the VPN and security realm, including Cisco IOS IPSec VPNs, public  key infrastructures, Cisco IOS SSL VPN, and Cisco Security Manager.  Jason holds CCIE Security certification 26894.

Remember to use the rating system to let Jason know if you have received an adequate response.

Jason  might not be able to  answer each question due to the volume expected  during this event.  Remember that you can continue the conversation on  the Security  discussion forums shortly after the event. This event lasts through February 11, 2011. Visit this forum often to view responses to your questions and the questions of other community members.

Labels:
0 Helpful
37 Replies 37

Jason Gervia
Cisco Employee
Cisco Employee
In response to joe-vieira

‎02-08-2011 12:06 PM

Joe,

Normally for SSLVPN you wouldn't need to create a seperate profile - the iPhone can connect to the same profile.  However, if you're doing posture assessment, you may want to create a seperate profile so that the ASA can connect to it, and then check for that profile in DAP entry with the 'continue' action so that the iPhones will get through your DAP policy assignment.

--Jason

0 Helpful

joe-vieira
Level 1
Level 1
In response to Jason Gervia

‎02-08-2011 12:16 PM

Jason,

Can you point me to any configuration guides on how to configure the ASA for iPhones? I don't understand how the posture can be configured for iPhones. Wouldn't it be easier to configure a separate profile and not check for posture and just have it authenticate?

Also, I have another question. Is is possible to use the iPhone to monitor the ASAs? We use ASDM currently on our Windows machines to monitor remotely

0 Helpful

Jason Gervia
Cisco Employee
Cisco Employee
In response to joe-vieira

‎02-09-2011 06:12 PM

Joe,

There's not a real document how to specifically configure for the iPhone when it comes to DAP - I'll look into making one

There are basically 2 components:  Posture Assessment/hostchecking, and DAP

Posture Assessment is essentially a way of reporting on attributes of a given device (using hostscan or CSD)

DAP is taking actions given those attributes and AAA attributes reported by how you log in.

Apple's devices can't participate in posture assessment.  If you have rules in DAP that depend on those hostscan attributes being reported, you have to adjust those rules to allow the iphone access.  Just creating a tunnel group that doesn't run CSD doesn't bypass your DAP rules which are always run.  You could create a tunnel-group for the iphone, but then you would have to have a DAP rule checking for that tunnel-group to allow the iPhone access.

Of course, if you're not using DAP, you don't have these concerns.

ASDM depends on java - until Apple decides to support java on the iDevices, you won't be able to monitor ASAs from them using ASDM.

0 Helpful

Not applicable

‎02-08-2011 11:20 AM

Hi

I am one step away from succeed in connecting .........

We are trying to connect iPhones/Pads to our enterprise network via device's buit-in CISCO IPSec VPN Client.

iPhone/Pad users use IPSec client to establish a VPN connection between their device and ASA. On their devices all necessary certificates are installed (2 certificates : one identity and one root).

On ASA we have installed THE SAME root certificate and an identity certificate.

The 2 identity certificates HAVE the same issuer (root certificate).

Everything works almost fine. ISAKMP (VPN Phase 1) seems to be OK EXCEPT certificate validation. I get the following errors on the ASA.

There is a strange error for ExtendedKeyUsage and OID not acceptable.

Any help would be welcome.

CRYPTO_PKI: Looking for suitable trustpoints...

CRYPTO_PKI: Found a suitable authenticated trustpoint ASDM_TrustPoint0.

CRYPTO_PKI(make trustedCerts list)CRYPTO_PKI:check_key_usage: ExtendedKeyUsage OID = 1.3.6.1.5.5.8.2.2
CRYPTO_PKI:check_key_usage: ExtendedKeyUsage OID = 1.3.6.1.5.5.8.2.2, NOT acceptable
CRYPTO_PKI:check_key_usage: No acceptable ExtendedKeyUsage OIDs found

CRYPTO_PKI: Certificate validation: Failed, status: 1873. Attempting to retrieve revocation status if necessary

ERROR: Certificate validation failed. Peer certificate key usage is invalid, serial number: 4CF50CA500070000073A, subject name: cn=Vagelis-iphone4,ou=iPhonecert,o=COSMOTE SA,l=ATHENS,st=ATTICA,c=GR

CRYPTO_PKI: Certificate not validated
CRYPTO_PKI: Invalid cert.

0 Helpful

Jason Gervia
Cisco Employee
Cisco Employee
In response to

‎02-08-2011 11:41 AM

Ekaradimos,

As of 8.0(3)4 for SSL (and 8.0(2) for ipsec)

If the ExtendedKeyUsage extension is present it must contain one of the following for IPsec:

*            id-kp-clientAuth             1.3.6.1.5.5.7.3.2
*            id-kp-ipsecEndSystem         1.3.6.1.5.5.7.3.5
*            id-kp-ipsecTunnel            1.3.6.1.5.5.7.3.6
*            id-kp-ipsecUser              1.3.6.1.5.5.7.3.7 
  • If the ExtendedKeyUsage extension is present it must contain the following for SSL: 
*            id-kp-clientAuth             1.3.6.1.5.5.7.3.2

If you're issuing an ID certificate for IPSec and it doesn't have one of those EKUs, you need to tell the ASA to ignore the key usage check.  You can do this under the trustpoint configuration (I would put it on the trustpoint containing the root certificate) :

crypto ca trustpoint 
 ignore-ipsec-keyusage
 ignore-ssl-keyusage
0 Helpful

Not applicable
In response to Jason Gervia

‎02-08-2011 01:19 PM

Thank you very much for your prompt answer.

Now I get another error. Certificate is validated but it checks for CRL.

CRYPTO_PKI(make trustedCerts list)CRYPTO_PKI:check_key_usage: Incorrect KeyUsage (60)
CRYPTO_PKI:check_key_usage: IGNORING IPSec Key Usage check failure

(Thanks. The ignore command worked)

CRYPTO_PKI: Certificate validation: Successful, status: 0. Attempting to retrieve revocation status if necessary

CRYPTO_PKI:Certificate validated. serial number: 62BECDC7000700000745, subject name:  cn=Vagelis-iphone4,ou=iPhonecert,o=COSMOTE SA,l=ATHENS,st=ATTICA,c=GR.

CRYPTO_PKI: Certificate validated without revocation checkFeb 08 23:14:16 [IKEv1]: Group = iPhoneGrpPolicy, IP = 87.202.26.31, Removing peer from peer table failed, no match!
Feb 08 23:14:16 [IKEv1]: Group = iPhoneGrpPolicy, IP = 87.202.26.31, Error: Unable to remove PeerTblEntry

0 Helpful

Jason Gervia
Cisco Employee
Cisco Employee
In response to

‎02-09-2011 01:05 PM

Ekaradimos

You're actually succeeding in PKI validation (the cert is validated without a revocation check).  You'll need to check your isakmp debugs (debug crypto isakmp 127) to see if phase1/phase 2 of ipsec is succeeding - you're probably failing phase 2 but we won't know that without debugs.

These error messages are just indicative of a VPN being torn down and don't really provide any useful troubleshooting information, so you can ignore them (other than knowing they mean a VPN was torn down)

Removing peer from peer table failed, no match!
Feb 08 23:14:16 [IKEv1]: Group = iPhoneGrpPolicy, IP = 87.202.26.31, Error: Unable to remove PeerTblEntry

0 Helpful

tgm
Level 1
Level 1

‎02-21-2011 09:48 PM

A couple of clients are using WRVS4400N small business routers on their networks.  They have joined the craze with both iPhones and iPads and want to remotely connect to their networks with VPN.  Unfortunately, the WRVS4400N does not currently support the Cisco version of IPSEC but does support the standard version of the protocol.

Question one...  Are there plans to add the Cisco version of IPSEC to the WR$VS4400N firmware in the near future?  And if so when?

The other option is to obviously upgrade the router.  But what would you recommend for alternate hardware that supports all of the other features that the WRVS4400N already has plus the ability to connect iPhone and iPad VPN tunnels directly?  Price sensitivity is something to consider too where it will be a very hard sell to convice these clients to shell out a lot more than their current investment.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents