Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3123
Views
0
Helpful
4
Replies

VPN IPsec with certificate authentication between ASA5510 and IPAD

RodrigoMB
Level 1
Level 1

‎02-23-2011 10:17 AM - edited ‎02-21-2020 05:11 PM

Hi
I try to connect my IPAD through VPN IPsec to my ASA5510 using certificate authentication, but the IPAD shows an error message:

"VPN Connection
Could not validate the server certificate."

  • I generated the certificates with openssl.

  • I connect using this certificate on windows XP with cisco vpn client in the same WIFI that the IPAD without any problem.

  • When i try to connect using the IPAD seems that not even negotiates the phase1.

  1. Feb 23 18:55:26 172.16.140.49 :%ASA-vpn-6-713172: IP = X.X.X.X, Automatic NAT Detection Status:     Remote end   IS   behind a NAT device     This   end is NOT behind a NAT device
  2. Feb 23 18:55:26 172.16.140.49 :%ASA-vpn-6-713905: Group = IPAD, IP = X.X.X.X, No valid authentication type found for the tunnel group
  3. Feb 23 18:55:26 172.16.140.49 :%ASA-ca-6-717022: Certificate was successfully validated. serial number: 15, subject name:  cn=ASA1.W.ZZZZZZZZ.FFFFFFF,ou=ZZZZZZZ,o=WWW,l=CCCCCC,st=CCCCCCC,c=CC.
  4. Feb 23 18:55:26 172.16.140.49 :%ASA-ca-6-717028: Certificate chain was successfully validated with warning, revocation status was not checked.
  5. Feb 23 18:55:26 172.16.140.49 :%ASA-auth-6-113009: AAA retrieved default group policy (GROUP_IPAD) for user = IPAD
  6. Feb 23 18:55:26 172.16.140.49 :%ASA-vpn-6-713905: Group = IPAD, Username = ASA1.W.ZZZZZZZZ.FFFFFFF, IP =  X.X.X.X  Username updated from certificate.
  7. Feb 23 18:55:26 172.16.140.49 :%ASA-vpn-5-713904: Group = IPAD, Username = ASA1.W.ZZZZZZZZ.FFFFFFF, IP = X.X.X.X, Received encrypted Oakley Informational packet with invalid payloads, MessID = 3539554318
  8. Feb 23 18:55:59 172.16.140.49 :%ASA-vpn-6-713903: Group = IPAD, Username = ASA1.W.ZZZZZZZZ.FFFFFFF, IP = X.X.X.X, Error: Unable to remove PeerTblEntry

I tried to include in the certificate the information below that i readed in Apple forum but i have the same error.

CN=the real name of the VPN gateway

SAN=the DNS name of the gateway (same name configured in the VPN configuration)

can someone help me?

Thanks in advance.

Regards

Labels:
0 Helpful
4 Replies 4

Yudong Wu
Level 7
Level 7

‎02-23-2011 11:15 AM

"VPN Connection
Could not validate the server certificate."

If you got the above error on IPAD, it looks like the issue was the IPAD could not validate the ASA's certification. You might need install Root CA's cert which issued the certificate to ASA in IPAD as a trust CA root.

0 Helpful

RodrigoMB
Level 1
Level 1
In response to Yudong Wu

‎02-24-2011 01:04 AM

Yes, sorry, i forgot say this.

I sent to the IPAD the CA cert and authentication cert. When i have installed them, both certs appear as "trusted".

The IPAD still saying "Could not validate the server certificate"...

Thanks

0 Helpful

Yudong Wu
Level 7
Level 7
In response to RodrigoMB

‎02-24-2011 09:03 AM

Since Window XP works without this issue, I am suspecting the issue might be on the way IPAD to validate ASA's certificate.

Can you provide the following info?

1. from ASA, show crypto ca cert

2. The screen shot of CA certificate (not client cert) which you installed on IPad

3. In IPSec client configuration, are you using IP address or DNS name of ASA?

0 Helpful

leandrochaves
Level 1
Level 1

‎04-12-2012 10:24 AM

Hi Rodrigo,

Do you solved the problem with certificate on iPad?

I have the same problem with my iPhone, and I can't find the solution.

The iPhone still saying "Could not validate the server certificate"...

Thanks.

0 Helpful
Customers Also Viewed These Support Documents