Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1581
Views
0
Helpful
2
Replies

Iphone and Cisco VPN with Certificates

the_tester
Level 1
Level 1

‎11-18-2012 07:42 PM

Hi,

I am trying to make this thing working. Iphone has a feature where you can connect to an ASA using the certificate method.

at the moment, I can connect using the anyconnect client for Windows, but i can't connect using Apple products. I am getting a certificate error.

I found some old discussions about this, so i am wondering if anyone could help: Basically:

- My ASA has a hostname like myhost.mydomain.com.au

- the certificate has myhost.mydomain.com.au as SubjAltName. The certificate is signed by an External CA.

the phone connects (i can see the connection attemp from the logs), but the connection end with "Could not validate server certificate" . I have seen many people that said that the subjaltname in the certificate must be the same as the hostname.

but still doesn't work.

any clues?

thanks

Labels:
0 Helpful
2 Replies 2

gaigl
Level 3
Level 3

‎11-21-2012 01:34 AM

Hi,

your IPhone has the root-certificate of the external CA installed?

your ASA has the root-cert installed and in the same Trustpoint a Identity-Cert of this CA?

In your TunnelGroup (ConnectionProfile) is the correct Trustpoint selectet?

In the settings of the root-cert on the ASA is the intended usage activated (ssl and/or ipsec)?

settings of CRL's?

0 Helpful

the_tester
Level 1
Level 1
In response to gaigl

‎11-21-2012 02:13 PM

thanks for your post Karl.

- yes

- yes

- yes (there is also another bug (of hundreds) i ve found on ASDM, you have to put the command manually). Not to mention the nat-traversal bug that took me days to figure out (of course, no documentation whatsoever by Cisco)

- yes

- CRL created based on information i ve found (of course not eigher Apple or Cisco are providing precise documents).

Every time you look for something at Cisco, let s say how to replace a wheel on your car, they will start telling you of all the types of wheels that exists in this world since the wheel has been invented 5000 years ago, the molecular compositiion of the plastics, the lenght of every single pin and treat of the metal compositions of the pins, and guess what? they dont actually tell you how to replace the wheel.

Sorry  i m a little frustrated, everything with Cisco, even the easiest thing, is so damn complicated.

0 Helpful
Customers Also Viewed These Support Documents