ASK THE EXPERTS - Connect your iPhone/iPad via IPsec and SSLVPN - Page 3

ciscomoderator · ‎01-31-2011

with Jason Gervia

Welcome to the Cisco Networking Professionals Ask the Expert conversation. This is an opportunity to learn how you can extend your remote access VPN capabilities to the various Apple IOS devices, including the iPad, iPhone, and iTouch with Cisco expert Jason Gervia. Jason is a Customer Support Engineer at the Cisco Technical Assistance Center in North Carolina, where he has been for almost four years. He is currently team lead of the VPN technology team. His area of expertise is in the VPN and security realm, including Cisco IOS IPSec VPNs, public key infrastructures, Cisco IOS SSL VPN, and Cisco Security Manager. Jason holds CCIE Security certification 26894.

Remember to use the rating system to let Jason know if you have received an adequate response.

Jason might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Security discussion forums shortly after the event. This event lasts through February 11, 2011. Visit this forum often to view responses to your questions and the questions of other community members.

Jason Gervia · ‎02-08-2011

Joe,

Normally for SSLVPN you wouldn't need to create a seperate profile - the iPhone can connect to the same profile. However, if you're doing posture assessment, you may want to create a seperate profile so that the ASA can connect to it, and then check for that profile in DAP entry with the 'continue' action so that the iPhones will get through your DAP policy assignment.

--Jason

joe-vieira · ‎02-08-2011

Jason,

Can you point me to any configuration guides on how to configure the ASA for iPhones? I don't understand how the posture can be configured for iPhones. Wouldn't it be easier to configure a separate profile and not check for posture and just have it authenticate?

Also, I have another question. Is is possible to use the iPhone to monitor the ASAs? We use ASDM currently on our Windows machines to monitor remotely

Jason Gervia · ‎02-09-2011

Joe,

There's not a real document how to specifically configure for the iPhone when it comes to DAP - I'll look into making one

There are basically 2 components: Posture Assessment/hostchecking, and DAP

Posture Assessment is essentially a way of reporting on attributes of a given device (using hostscan or CSD)

DAP is taking actions given those attributes and AAA attributes reported by how you log in.

Apple's devices can't participate in posture assessment. If you have rules in DAP that depend on those hostscan attributes being reported, you have to adjust those rules to allow the iphone access. Just creating a tunnel group that doesn't run CSD doesn't bypass your DAP rules which are always run. You could create a tunnel-group for the iphone, but then you would have to have a DAP rule checking for that tunnel-group to allow the iPhone access.

Of course, if you're not using DAP, you don't have these concerns.

ASDM depends on java - until Apple decides to support java on the iDevices, you won't be able to monitor ASAs from them using ASDM.

Report Inappropriate Content · ‎02-08-2011

Hi

I am one step away from succeed in connecting .........

We are trying to connect iPhones/Pads to our enterprise network via device's buit-in CISCO IPSec VPN Client.

iPhone/Pad users use IPSec client to establish a VPN connection between their device and ASA. On their devices all necessary certificates are installed (2 certificates : one identity and one root).

On ASA we have installed THE SAME root certificate and an identity certificate.

The 2 identity certificates HAVE the same issuer (root certificate).

Everything works almost fine. ISAKMP (VPN Phase 1) seems to be OK EXCEPT certificate validation. I get the following errors on the ASA.

There is a strange error for ExtendedKeyUsage and OID not acceptable.

Any help would be welcome.

CRYPTO_PKI: Looking for suitable trustpoints...

CRYPTO_PKI: Found a suitable authenticated trustpoint ASDM_TrustPoint0.

CRYPTO_PKI(make trustedCerts list)CRYPTO_PKI:check_key_usage: ExtendedKeyUsage OID = 1.3.6.1.5.5.8.2.2
CRYPTO_PKI:check_key_usage: ExtendedKeyUsage OID = 1.3.6.1.5.5.8.2.2, NOT acceptable
CRYPTO_PKI:check_key_usage: No acceptable ExtendedKeyUsage OIDs found

CRYPTO_PKI: Certificate validation: Failed, status: 1873. Attempting to retrieve revocation status if necessary

ERROR: Certificate validation failed. Peer certificate key usage is invalid, serial number: 4CF50CA500070000073A, subject name: cn=Vagelis-iphone4,ou=iPhonecert,o=COSMOTE SA,l=ATHENS,st=ATTICA,c=GR

CRYPTO_PKI: Certificate not validated
CRYPTO_PKI: Invalid cert.

Jason Gervia · ‎02-08-2011

Ekaradimos,

As of 8.0(3)4 for SSL (and 8.0(2) for ipsec)

If the ExtendedKeyUsage extension is present it must contain one of the following for IPsec:

*            id-kp-clientAuth             1.3.6.1.5.5.7.3.2
*            id-kp-ipsecEndSystem         1.3.6.1.5.5.7.3.5
*            id-kp-ipsecTunnel            1.3.6.1.5.5.7.3.6
*            id-kp-ipsecUser              1.3.6.1.5.5.7.3.7

If the ExtendedKeyUsage extension is present it must contain the following for SSL:

*            id-kp-clientAuth             1.3.6.1.5.5.7.3.2

If you're issuing an ID certificate for IPSec and it doesn't have one of those EKUs, you need to tell the ASA to ignore the key usage check. You can do this under the trustpoint configuration (I would put it on the trustpoint containing the root certificate) :

crypto ca trustpoint 
 ignore-ipsec-keyusage
 ignore-ssl-keyusage

Report Inappropriate Content · ‎02-08-2011

Thank you very much for your prompt answer.

Now I get another error. Certificate is validated but it checks for CRL.

CRYPTO_PKI(make trustedCerts list)CRYPTO_PKI:check_key_usage: Incorrect KeyUsage (60)
CRYPTO_PKI:check_key_usage: IGNORING IPSec Key Usage check failure

(Thanks. The ignore command worked)

CRYPTO_PKI: Certificate validation: Successful, status: 0. Attempting to retrieve revocation status if necessary

CRYPTO_PKI:Certificate validated. serial number: 62BECDC7000700000745, subject name: cn=Vagelis-iphone4,ou=iPhonecert,o=COSMOTE SA,l=ATHENS,st=ATTICA,c=GR.

CRYPTO_PKI: Certificate validated without revocation checkFeb 08 23:14:16 [IKEv1]: Group = iPhoneGrpPolicy, IP = 87.202.26.31, Removing peer from peer table failed, no match!
Feb 08 23:14:16 [IKEv1]: Group = iPhoneGrpPolicy, IP = 87.202.26.31, Error: Unable to remove PeerTblEntry

Jason Gervia · ‎02-09-2011

Ekaradimos

You're actually succeeding in PKI validation (the cert is validated without a revocation check). You'll need to check your isakmp debugs (debug crypto isakmp 127) to see if phase1/phase 2 of ipsec is succeeding - you're probably failing phase 2 but we won't know that without debugs.

These error messages are just indicative of a VPN being torn down and don't really provide any useful troubleshooting information, so you can ignore them (other than knowing they mean a VPN was torn down)

Removing peer from peer table failed, no match!
Feb 08 23:14:16 [IKEv1]: Group = iPhoneGrpPolicy, IP = 87.202.26.31, Error: Unable to remove PeerTblEntry

tgm · ‎02-21-2011

A couple of clients are using WRVS4400N small business routers on their networks. They have joined the craze with both iPhones and iPads and want to remotely connect to their networks with VPN. Unfortunately, the WRVS4400N does not currently support the Cisco version of IPSEC but does support the standard version of the protocol.

Question one... Are there plans to add the Cisco version of IPSEC to the WR$VS4400N firmware in the near future? And if so when?

The other option is to obviously upgrade the router. But what would you recommend for alternate hardware that supports all of the other features that the WRVS4400N already has plus the ability to connect iPhone and iPad VPN tunnels directly? Price sensitivity is something to consider too where it will be a very hard sell to convice these clients to shell out a lot more than their current investment.