Microsoft CA and Ipad vpn problem

nika.katsitadze · ‎01-24-2012

hello

i have windows 2008 R2 as CA server. and i also have 2911 router as remote vpn server. Everything works fine for desktops computers and leptops. Users automatically enroll certificates on Microsoft CA server and get connected to vpn. But problem is with ipads. When i try to connect from ipad error massage deslpays "Could not validate the server certificate" and i also get chis error massage from router

"CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from x.x.x.x failed its sanity check or is malformed"

With ipads built in vpn client i can see the installed certificate and use it but with anyconnect client no certificates are displayed.

pghbrea · ‎01-24-2012

Nika,

I'm having a similar problem as you with Ipad's. I can install the certificate (had to download the CA certificate and install it for it to be trusted) however the anyconnect client does not recognize the certificate and tells me that no certificates are available.

I'm talking with Apple about this as well at the moment. If I find anything I will post it here.

pghbrea · ‎01-24-2012

Another item to consider with this is that I found a problem with using the Certificates from a 2008 server using SHA2 and higher encryption. There's a microsoft fix for it. Wondering if there might be a similar problem with Ipad's and the anyconnect client.

http://support.microsoft.com/kb/968730

nika.katsitadze · ‎01-26-2012

yesterday i tried to do this configuration with ASA and Microsoft CA server, but the result was same. Works well with workstations and doesn't work with ipads . Today i am going to try different CA server.

nika.katsitadze · ‎01-30-2012

I have done it

i just added SAN attributes on windows server 2008

certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2

net stop certsvc
net start certsvc

http://support.microsoft.com/kb/931351

and on identity certificate on cisco router added attributes

san:dns=dns.name[&dns=dns.name]