cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
23889
Views
18
Helpful
37
Replies
Cisco Employee

Re: ASK THE EXPERTS - Connect your iPhone/iPad via IPsec and SSL

Joe,

Normally for SSLVPN you wouldn't need to create a seperate profile - the iPhone can connect to the same profile.  However, if you're doing posture assessment, you may want to create a seperate profile so that the ASA can connect to it, and then check for that profile in DAP entry with the 'continue' action so that the iPhones will get through your DAP policy assignment.

--Jason

Beginner

Re: ASK THE EXPERTS - Connect your iPhone/iPad via IPsec and SSL

Jason,

Can you point me to any configuration guides on how to configure the ASA for iPhones? I don't understand how the posture can be configured for iPhones. Wouldn't it be easier to configure a separate profile and not check for posture and just have it authenticate?

Also, I have another question. Is is possible to use the iPhone to monitor the ASAs? We use ASDM currently on our Windows machines to monitor remotely

Cisco Employee

Re: ASK THE EXPERTS - Connect your iPhone/iPad via IPsec and SSL

Joe,

There's not a real document how to specifically configure for the iPhone when it comes to DAP - I'll look into making one

There are basically 2 components:  Posture Assessment/hostchecking, and DAP

Posture Assessment is essentially a way of reporting on attributes of a given device (using hostscan or CSD)

DAP is taking actions given those attributes and AAA attributes reported by how you log in.

Apple's devices can't participate in posture assessment.  If you have rules in DAP that depend on those hostscan attributes being reported, you have to adjust those rules to allow the iphone access.  Just creating a tunnel group that doesn't run CSD doesn't bypass your DAP rules which are always run.  You could create a tunnel-group for the iphone, but then you would have to have a DAP rule checking for that tunnel-group to allow the iPhone access.

Of course, if you're not using DAP, you don't have these concerns.

ASDM depends on java - until Apple decides to support java on the iDevices, you won't be able to monitor ASAs from them using ASDM.

Not applicable

Re: ASK THE EXPERTS - Connect your iPhone/iPad via IPsec and SSL

Hi

I am one step away from succeed in connecting .........

We are trying to connect iPhones/Pads to our enterprise network via device's buit-in CISCO IPSec VPN Client.

iPhone/Pad users use IPSec client to establish a VPN connection between their device and ASA. On their devices all necessary certificates are installed (2 certificates : one identity and one root).

On ASA we have installed THE SAME root certificate and an identity certificate.

The 2 identity certificates HAVE the same issuer (root certificate).

Everything works almost fine. ISAKMP (VPN Phase 1) seems to be OK EXCEPT certificate validation. I get the following errors on the ASA.

There is a strange error for ExtendedKeyUsage and OID not acceptable.

Any help would be welcome.

CRYPTO_PKI: Looking for suitable trustpoints...

CRYPTO_PKI: Found a suitable authenticated trustpoint ASDM_TrustPoint0.

CRYPTO_PKI(make trustedCerts list)CRYPTO_PKI:check_key_usage: ExtendedKeyUsage OID = 1.3.6.1.5.5.8.2.2
CRYPTO_PKI:check_key_usage: ExtendedKeyUsage OID = 1.3.6.1.5.5.8.2.2, NOT acceptable
CRYPTO_PKI:check_key_usage: No acceptable ExtendedKeyUsage OIDs found

CRYPTO_PKI: Certificate validation: Failed, status: 1873. Attempting to retrieve revocation status if necessary

ERROR: Certificate validation failed. Peer certificate key usage is invalid, serial number: 4CF50CA500070000073A, subject name: cn=Vagelis-iphone4,ou=iPhonecert,o=COSMOTE SA,l=ATHENS,st=ATTICA,c=GR

CRYPTO_PKI: Certificate not validated
CRYPTO_PKI: Invalid cert.

Cisco Employee

Re: ASK THE EXPERTS - Connect your iPhone/iPad via IPsec and SSL

Ekaradimos,

As of 8.0(3)4 for SSL (and 8.0(2) for ipsec)

If the ExtendedKeyUsage extension is present it must contain one of the following for IPsec:

*            id-kp-clientAuth             1.3.6.1.5.5.7.3.2
*            id-kp-ipsecEndSystem         1.3.6.1.5.5.7.3.5
*            id-kp-ipsecTunnel            1.3.6.1.5.5.7.3.6
*            id-kp-ipsecUser              1.3.6.1.5.5.7.3.7 
  • If the ExtendedKeyUsage extension is present it must contain the following for SSL:
*            id-kp-clientAuth             1.3.6.1.5.5.7.3.2

If you're issuing an ID certificate for IPSec and it doesn't have one of those EKUs, you need to tell the ASA to ignore the key usage check.  You can do this under the trustpoint configuration (I would put it on the trustpoint containing the root certificate) :

crypto ca trustpoint 
ignore-ipsec-keyusage
ignore-ssl-keyusage
Not applicable

Re: ASK THE EXPERTS - Connect your iPhone/iPad via IPsec and SSL

Thank you very much for your prompt answer.

Now I get another error. Certificate is validated but it checks for CRL.

CRYPTO_PKI(make trustedCerts list)CRYPTO_PKI:check_key_usage: Incorrect KeyUsage (60)
CRYPTO_PKI:check_key_usage: IGNORING IPSec Key Usage check failure

(Thanks. The ignore command worked)

CRYPTO_PKI: Certificate validation: Successful, status: 0. Attempting to retrieve revocation status if necessary

CRYPTO_PKI:Certificate validated. serial number: 62BECDC7000700000745, subject name:  cn=Vagelis-iphone4,ou=iPhonecert,o=COSMOTE SA,l=ATHENS,st=ATTICA,c=GR.

CRYPTO_PKI: Certificate validated without revocation checkFeb 08 23:14:16 [IKEv1]: Group = iPhoneGrpPolicy, IP = 87.202.26.31, Removing peer from peer table failed, no match!
Feb 08 23:14:16 [IKEv1]: Group = iPhoneGrpPolicy, IP = 87.202.26.31, Error: Unable to remove PeerTblEntry

Cisco Employee

Re: ASK THE EXPERTS - Connect your iPhone/iPad via IPsec and SSL

Ekaradimos

You're actually succeeding in PKI validation (the cert is validated without a revocation check).  You'll need to check your isakmp debugs (debug crypto isakmp 127) to see if phase1/phase 2 of ipsec is succeeding - you're probably failing phase 2 but we won't know that without debugs.

These error messages are just indicative of a VPN being torn down and don't really provide any useful troubleshooting information, so you can ignore them (other than knowing they mean a VPN was torn down)

Removing peer from peer table failed, no match!
Feb 08 23:14:16 [IKEv1]: Group = iPhoneGrpPolicy, IP = 87.202.26.31, Error: Unable to remove PeerTblEntry

tgm Beginner
Beginner

Re: ASK THE EXPERTS - Connect your iPhone/iPad via IPsec and SSL

A couple of clients are using WRVS4400N small business routers on their networks.  They have joined the craze with both iPhones and iPads and want to remotely connect to their networks with VPN.  Unfortunately, the WRVS4400N does not currently support the Cisco version of IPSEC but does support the standard version of the protocol.

Question one...  Are there plans to add the Cisco version of IPSEC to the WR$VS4400N firmware in the near future?  And if so when?

The other option is to obviously upgrade the router.  But what would you recommend for alternate hardware that supports all of the other features that the WRVS4400N already has plus the ability to connect iPhone and iPad VPN tunnels directly?  Price sensitivity is something to consider too where it will be a very hard sell to convice these clients to shell out a lot more than their current investment.