This discussion is locked

ASK THE EXPERTS - Connect your iPhone/iPad via IPsec and SSLVPN

Unanswered Question
Jan 31st, 2011

with Jason Gervia

Welcome  to the Cisco Networking Professionals Ask the  Expert conversation.  This is an opportunity to learn how you can extend your remote access  VPN capabilities to the various Apple IOS devices, including the iPad,  iPhone, and iTouch with Cisco expert Jason Gervia. Jason  is a Customer Support Engineer at the Cisco Technical Assistance Center  in North Carolina, where he has been for almost four years. He is  currently team lead of the VPN technology team. His area of expertise is  in the VPN and security realm, including Cisco IOS IPSec VPNs, public  key infrastructures, Cisco IOS SSL VPN, and Cisco Security Manager.  Jason holds CCIE Security certification 26894.

Remember to use the rating system to let Jason know if you have received an adequate response.

Jason  might not be able to  answer each question due to the volume expected  during this event.  Remember that you can continue the conversation on  the Security  discussion forums shortly after the event. This event lasts through February 11, 2011. Visit this forum often to view responses to your questions and the questions of other community members.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 4.5 (4 ratings)
lazarmihail Mon, 01/31/2011 - 12:30

Hello,

We have a network in our small office and I need some help in order to solve the following issue:

In our network we have a cisco router Cisco 861w which have VPN capabilities. We configure it in order to access our internal apple time capsule from any part of the world. We have our internal network (wireless ) in VLAN 20, network range 192.168.2.0 / 24. Time capsule is also connecting wirelessly into the network by getting an IP address from VLAN 20. The router has also a management VLAN 1, witch has been   configured in the 192.168.1.0 /24 network. This VLAN is not giving any IP addresses for clients. VPN was configured on VLAN 10, network 192.168.10.0 /24.

Now,

When   we are connecting to our router thru VPN connection with an Windows 7   system operating system and cisco vpn client configured on it we have   access into the local network resources like time capsule and other  computers.

The problem arise when we are connecting thru a Mac OS X 10.6 computer, he is connecting to the VPN router but we don't have   access to local resources like time capsule or any other computer from   the network. When we make a connectivity test we where able to ping the   network 192.168.1.0 / 24 network but we where not able to ping   192.168.2.0 / 24 network.

Can you tell us what setting we are missing from the macbook pro laptop in order to have access to local resources thru VPN, or router configuration.

Thank you.
Jason Gervia Mon, 01/31/2011 - 15:12

Lazar,


While not precisely an iphone/ipad/itouch connection, I'll try to answer this as best I can.

If you are connecting  with a MAC and can ping the 192.168.1/24 network, I would verify the following:

1)  Verify you are connecting to the same group as the windows machines

2)  Verify that you are getting an IP address in the same range as the windows machines - receiving same networks/routes via split tunneling(if you are split tunnelign)

3)  Can you ping the router interface address on the 192.168.2 network?

4)  Does your mac have any firewall installed on it?  Is the lan IP address in overlapping with the 192.168.2/24 address space?

If you wish, try attaching your config (minus any confidential data) and I can try to determine what the issue may be

lazarmihail Tue, 02/01/2011 - 07:54

Hello,

1)  Verify you are connecting to the same group as the windows machines

     * Yes, there is only one group created for VPN connections.

2)   Verify that you are getting an IP address in the same range as the  windows machines - receiving same networks/routes via split tunneling(if  you are split tunnelign)

     * Yes, I'm receiving an IP address from 192.168.10.0 / 24 network witch is the same as windows machines. Also I configure it for split tunneling and I'm receiving 192.168.2.1 autommaticaly as DNS server.

3)  Can you ping the router interface address on the 192.168.2 network?

     * From windows machines yes, I can ping 192.168.2.0 / 24 network but from MacBook I can't, only 192.168.1.0 / 24 network.

4)  Does your mac have any firewall installed on it?  Is the lan IP address in overlapping with the 192.168.2/24 address space?

     * On MacBook I don't have the firewall activated and is not overlaping with 192.168.2.0 network because I'm connecting thru a 3G network and the provider gives me a public address.

Please see attached configuration of the router and ap and give me an advice or a hint where to look in order to fix the problem because this MacBook start to give me head headings.

Thank You.

Mihail

Attachment: 
Jason Gervia Wed, 02/02/2011 - 07:07

Mihail

I analyzed your configuration and I don't see anything jumping out at me as to why you would be experiencing connectivity differences between MAC and Windows when connecting to that router.

I would verify the following:

1)  That you aren't seeing any dropped messages/logs on the router for packets to the mac when it's connected

2)  See if you can ping the 192.168.2.1 address (which is on the 192.168.2.x network, but still on the router)

You may also want to open a TAC case to resolve this, as there's no configuration in what you sent that would discriminate between MACs and Windows, which leads me to believe this is a VPN client issue of some sort.

lazarmihail Wed, 02/02/2011 - 10:00

Hello,

Please read bellow the answer that I receive this night from apple :

"  if you're going to use a Cisco IPSec VPN with a Mac, you should use VPNTtacker, IPSecuritas or Shimo  (preferred in that order) rather than the built in Mac VPN client. You  need to match the configuration on the router precisely in order for  this to work. I would also suggest contacting Cisco support directly I'd  you continue to have problems.


I would also strongly advise against using a Time Capsule for anything business related. I recommend the Promise NS4600, but there are many alternatives.

That said, one way you could easily reach the Time Capsule from a Mac virtually anywhere is by using Apple's Back To my Mac feature, part of it's Mobile Me service.

Hope this helps. "

I will try tomorrow if one of the vpn clients software that they are advice are working or not.

Regards,

rajiv dasmohapatra Tue, 02/01/2011 - 09:16

Hi,

I have been provided with VPN access from office. I am using VPN client to connect to it from my windows laptop. I use Linux at home and I can connect to the VPN from there too. But I am not able to connect from my iPhone. I tried for apple support forums but no help.

The config is same for all the three. I am connecting to the same group also.

Please help.

BR // Rajiv

Sent from Cisco Technical Support iPhone App

lazarmihail Tue, 02/01/2011 - 09:55

Well ... I discuss also with Apple support people but they told me that is not the MacBook fault and I should look in the settings of our router but I'm wondering if there is any whay to test the VPN connection using another client besides the Cisco VPN client which is soming with MacBook.

Jason Gervia Tue, 02/01/2011 - 10:31

Rajiv,

Are you using IPSEC or SSL?

If using IPSEC

I would check on whatever headend you are connecting to (ASA, router) to see if packets from the iphone are actually reaching the gateway.  If this is ipsec, you may want to get the output from a 'debug crypto isakmp' (on a router), or 'debug crypto isakmp 127' (on an ASA) to see if any the gateway is seeing the isakmp packets from the iPhone

You may also want to download the Iphone Configuration utility from apple - you can use the console tab to see the logs that are being generated when you try to connect using the built in IPSec client

If you're using anyconnect on your iPhone, there are logs/debugs under Statistics-->Diagnostics.  You can view messages or debug logs as well as e-mail them if needed.

--Jason

rajiv dasmohapatra Thu, 02/03/2011 - 11:09

Jason,

I am using IPSEC. I donwloaded the Iphone config utility and captured the console.  From what i find is, it says IKE failed. I am attaching the log file.

Please suggest.

BR // Rajiv

Jason Gervia Mon, 02/07/2011 - 17:52

Rajiv,

I looked through the log files from the VPN client - you actually get  through phase 1 and XAUTH (phase 1.5)   I see it initiate phase 2, but the iphone immediately tears down phase 1 and stops the VPN connection.

Can you get a 'debug crypto ipsec 127' and 'debug crypto isakmp'  from the ASA vpn cluster member you connect to?  You may need to initiate directly to a cluster member without going through the vpn load balanced IP address.

--Jason

robd.com. Tue, 02/01/2011 - 09:21

This is great news for Apple Users...what about Android users? Do you have any time frame for an Android client?

Jason Gervia Tue, 02/01/2011 - 10:22

Robert,


Unfortunately, this is a question I cannot answer - I would talk to your account team if you need further information on the availability of a cisco vpn client for the android platform.  Making a VPN client for the android requires collaboration between both Cisco and the manufacturer, given how the VPN client works.


However, l2tp over ipsec on the Android should work with the ASA as of 8.3(2)12

jmprats Wed, 02/02/2011 - 03:00

Hi, we have configured the ASA Clientless SSL access. We have problems with IPAD users because it is not compatible with ActiveX (so you can't execute RDP connection to terminal server) and java (port forwarding with RDP). So I guess I have to connect them with IpSec and execute the rdp client itself.

Is all this true?

Any guide or recomendation to configure IpSec for IPAD (Iphone) users in ASA?

Thanks

Jason Gervia Wed, 02/02/2011 - 06:12

Jmprats,


That is correct.  Due to the iPAD not supporting java or activex, the iPAD  cannot use the Cisco RDP plugin for ASA clientless SSLVPN access - as those are the only 2 methods the plugin supports.


If you use IPSec or AnyConnect, you should be able to give your iPAD VPN access and use an application to provide RDP access.

As far as IPSec configuration goes, it's the same configuration that you would use for windows, with the following 2 additional requirements:

Apple iPhone and MAC OS X Compatibility

The security appliance requires the following IKE (ISAKMP) policy settings for successful Apple iPhone or MAC OS X connections:

IKE phase 1—3DES encryption with SHA1 hash method.

IPSec phase 2—3DES or AES encryption with MD5 or SHA hash method.

jmprats Wed, 02/09/2011 - 06:52

ok, if I'm using IPSec PSK (without certificates), is it enough secure? I mean the PSK can be known through the company and by an attacker, but I think IPSec is using session keys for encryption, so knowing the PSK is not a security problem or it is?

Can I manage which users can connect thorugh Radius or if you have the PSK you can connect?

Thanks

sding2006 Wed, 02/02/2011 - 12:35

Hi Jason,

Our VPN server has the following sh ver related to license

Licensed features for this platform:
Maximum Physical Interfaces  : Unlimited
Maximum VLANs                : 200      
Inside Hosts                 : Unlimited
Failover                     : Active/Active
VPN-DES                      : Enabled  
VPN-3DES-AES                 : Enabled  
Security Contexts            : 2        
GTP/GPRS                     : Disabled 
VPN Peers                    : 5000     
WebVPN Peers                 : 250      
AnyConnect for Mobile        : Disabled 
AnyConnect for Linksys phone : Disabled 
Advanced Endpoint Assessment : Disabled 
UC Proxy Sessions            : 2       

This platform has an ASA 5540 VPN Premium license.

We have both IPSec and SSL VPN configured. Will we be able to use the anyconnect client on iPhone/iPad etc? Do we have to buy the AnyConnect for Mobile license in oder to do that?

Thanks,

Shiling

Jason Gervia Wed, 02/02/2011 - 13:02

Shiling,

You do need the AnyConnect for Mobile license in order to activate the feature (it's not a per seat license).

The license is

ASA-AC-M-55XX

where the 'XX' is the last 2 digits of your ASA model number - so for your ASA 5540 you would need an ASA-AC-M-5540 license.

You can read more about licensing here:

http://www.cisco.com/en/US/customer/prod/collateral/vpndevc/ps6032/ps6094/ps6120/overview_c78-527488.html

Or check the AnyConnect FAQ:

https://supportforums.cisco.com/docs/DOC-1361#Q_How_does_the_mobile_license_workordered

Shaun Bender Thu, 02/03/2011 - 19:24

Hi,

Running AnyConnect(latest version) on Apple iOS devices, mainly iPod Touch, running iOS 4.2.1.

Connecting to an ASA 5510 running 8.3(1).

Have issued a certificate to the ASA and iPod Touch from our Windows 2008 R2 CA.

When setting an AnyConnect connection(on the iPod) to use Certificates, the following error is shown:

"The connection requires a client certificate but no matching certificates is configured.

Please modify this connection, choose a valid certificate and try again."

Has anyone else seen or have resolved this issue?

Also, what would be some things to check to help resolve this issue?

Thank

Jason Gervia Mon, 02/07/2011 - 10:12

Shaun,

This error would seem  that you don't have the Root and/or Intermediate certificate(s) installed on the ASA and iPhone.

When doing certificate authentication, the ASA sends a message to the client (in this case, the iPhone) to tell the client what CA certificates the ASA  has installed so the client can choose what certificate to send to the ASA.

This error message seems to indicated that the ASA either doesn't have a CA certificate installed, or that the CA certificates being presented to the client don't match as being the issuer of the client's certificates, so it doesn't know which certificate to send to the ASA.

Check to make sure your phone and ASA have an ID certificate as well as the CA certificate of the Windows 2008 server that issued them installed.  If that looks correct, or if you still have issues after installing them:

Gather debugs on the ASA at the following levels from a connection attempt:

debug cry ca transaction 127

debug cry ca messages 127

debug cry ca 127

That should tell you why any PKI is failing.  If not, connect the ASAs running-configuration and I can take a look at the configuration to see if there is a misconfiguration.

--Jason

Shaun Bender Wed, 02/09/2011 - 17:59

Hi Jason,

Here is what the debug output is showing:

# CERT API thread wakes up!

CRYPTO_PKI: Sorted chain size is: 1

CRYPTO_PKI: Found ID cert. serial number: 018E7EBC0548B528425E, subject name: c=US,cn=4EF445C1-4676-4D98-B309-D9E60C353D2B

CRYPTO_PKI: Verifying certificate with serial number: 018E7EBC0548B528425E, subject name: c=US,cn=4EF445C1-4676-4D98-B309-D9E60C353D2B, issuer_name: cn=Apple iPhone Device CA,ou=Apple iPhone,o=Apple Inc.,c=US.

CRYPTO_PKI: Checking to see if an identical cert is

already in the database...

CRYPTO_PKI(Cert Lookup) issuer="cn=Apple iPhone Device CA,ou=Apple iPhone,o=Apple Inc.,c=US" serial number=01 8e 7e bc 05 48 b5 28 42 5e                      |  ..~..H.(B^

CRYPTO_PKI: looking for cert in handle=ac78c848, digest=

f5 07 78 fc f6 99 ff 89 96 e1 3e cf a1 a4 75 11    |  ..x.......>...u.

CRYPTO_PKI: Cert record not found, returning E_NOT_FOUND

CRYPTO_PKI: Cert not found in database.

CRYPTO_PKI: Looking for suitable trustpoints...

CRYPTO_PKI: crypto_pki_get_cert_record_by_subject()

CRYPTO_PKI: No suitable trustpoints found to validate certificate serial number: 018E7EBC0548B528425E, subject name: c=US,cn=4EF445C1-4676-4D98-B309-D9E60C353D2B, issuer name: cn=Apple iPhone Device CA,ou=Apple iPhone,o=Apple Inc.,c=US .

CRYPTO_PKI: No suitable TP status.

CRYPTO_PKI: cert validation failed to find trustpointCERT API thread sleeps!

On our iOS device, under the following:

General > Profile(name of profile used in iPhone Config utility--for SCEP) > *Profile* > More Details:

Signing Certificate:

iPhone Configuration…(text cut off)

Issued by: iPhone Configuration.... (text cut off)

Certificate:

(shows all the info issued from our internal CA)

On our internal CA it does show the certificate issused successfully along with a cert issued to the ASA.

However, I did notice this, not sure if it matters, when I exported the SCEP profile from the iPhone Configuration Utilty, I had the following turned on:

Iphone Configuration Utility:

Export Connfiguration Profile

Security: Signed Configuration Profile

Would the "Security" need to be set for "None" on the export?, would that be an issue?

I've attached a screen cap for a little better explaination of what is on my iOS device.

Thanks

Attachment: 
Shaun Bender Tue, 02/15/2011 - 12:32

Hi Jason,

I have this working now. I had the certs all messed up.  Once I redid all the certs things are working like a charm.

I used a Web Server cert on the ASA and a Client cert on the Apple devices.

Things are working great.

Thanks!

clausonna Fri, 02/04/2011 - 10:25

How do the iPhone/iPad appear to the ASA's pre-login OS detection policy.  I assume its 'Mac', but is there a way (or a need?) to differentiate between a device running OSX vs iOS.  Does Host Scan support iOS, can I do certificate-based authentication, and does the Advanced Endpoint / Remediation ability work on Macs or iPads?

Thanks!

Jason Gervia Mon, 02/07/2011 - 07:29

Clausonna,

You won't be able to do a pre-login check with clientless and the iPhone as CSD/hostscan is not supported on the iPhone currently - which means no AES as well.  You can do certificate authentication, though.


AES/CSD is supported on the MAC.

--Jason

clausonna Mon, 02/07/2011 - 10:46

Ok, but does an iPhone/iPad 'look' the same to the Pre-login policy?  Or are you saying that those devices just bypass Host Scan / Pre-login entirely, and just jump right to the authentication part?  How does that affect DAP?

I guess I'm concerned that a OSX Mac could connect but somehow bypass the pre-login checks if its able to spoof itself as an iPhone.  I also want to set myself up for the point where I have 'managed' and 'unmanaged' iPhones that VPN in, and have the ability to assign one policy / ACL / DHCP pool / whatever to the two different 'types' of devices.

Thanks.

Jason Gervia Mon, 02/07/2011 - 16:14

clausonna,

pre-login:

iphone bypasses the pre-login policy (similar to if you cancel out of all the downloads to prevent hostscan from running on a pc) - you will be able to login with the iphone but it will not return any of the hostscan values due to not running hostscan.

DAP:

DAP isn't affected per se - it just won't return hostscan values other than AAA values (if using clientless).  Anyconnect will return, after login, the following:

endpoint.os.version="Apple Plugin"

If you bypass hostscan, I'm not sure how you would masquerade as another OS type - the OS detection doesn't appear to be using the HTTP user agent for checking.  I can try to find out how we check for the OS if hostscan is not running - but the information may be proprietary.

As far as managed vs unmanaged iphone types - there is not really any way without hostscan to tell one iphone from another, you'd have to either set up a different tunnel group for your managed vs unmanaged iphones, but that depends on the users to make a decision.

bruced.brown_2 Tue, 02/08/2011 - 15:53

Jason - I'm also trying to get my DAP policies to get a match on the LUA EVAL statement. When I turn on DAP debugging (error and trace) I see the following:

DAP_TRACE: dap_add_csd_data_to_lua:endpoint.feature="failure"
DAP_TRACE: name = endpoint.feature, value = "failure"
DAP_TRACE: dap_add_csd_data_to_lua:endpoint.os.version="Apple Plugin"  <<-----------
DAP_TRACE: name = endpoint.os.version, value = "Apple Plugin"
DAP_TRACE: Username: xxxxxx, Selected DAPs:
DAP_TRACE: dap_process_selected_daps: selected 0 records
DAP_TRACE: Username: xxxxxx, dap_aggregate_attr: rec_count = 1
DAP_TRACE: Username: xxxxxx, Selected DAPs: DfltAccessPolicy
DAP_TRACE: Username: xxxxxx, DAP_close: 761406E8

I've tried to get the Lua to match using the exact same string that I see coming back from the debug. My Lua check looks like this:

EVAL(endpoint.os.version, "EQ", "Apple Plugin", “STRING") I've also tried "NE" just trying to get something to match but it doesn't seem to match even when I use the NE value even though I'm using the exact returned value.

For this specific check (I have several other checks) I have no other entries in this specific DAP policy, such as checking for a AAA attribute or endpoint attribute, just this one lua check and it keeps coming back as failing so my connection fails. I really need to match on something unique on the iPad, just having a hard time finding something that makes it unique.

I have a cert on the machine that I was trying to do some cert to ssl vpn connection profile mapping but was not able to get that to work either. I'm about out of ideas on this one...

Thanks,

Bruce

bruced.brown_2 Thu, 02/10/2011 - 15:01

Thanks Jason for the response. I am running the Essentials licsense, and thanks for the update on the bug. I'm probably running into this one because I am running 8.3(2)12. I'll probably try to get the 8.4(1) version which is on the download page. Are there any other issues with DAP in 8.4 that I should be aware of from a DAP standpoint? I'll review the release notes and if it looks good probably get this upgraded and tested. Thanks again.

Bruce

joe-vieira Tue, 02/08/2011 - 10:14

Hi Jason,

We currently have ASAs 5520 for our SSL VPN needs. We use AnyConnect for company laptops that have to meet posture requirements and clientless for user's Home PCs. We now have a requirement to test iPhone ssl vpn connections. The clientless version doesn't work because it doesn't support java to connect to terminal servers after authentication. I need information on how to configure the ASAs for iPhone using AnyConnect. Do we need to add a new profile?

Thanks

Jason Gervia Tue, 02/08/2011 - 12:06

Joe,

Normally for SSLVPN you wouldn't need to create a seperate profile - the iPhone can connect to the same profile.  However, if you're doing posture assessment, you may want to create a seperate profile so that the ASA can connect to it, and then check for that profile in DAP entry with the 'continue' action so that the iPhones will get through your DAP policy assignment.

--Jason

joe-vieira Tue, 02/08/2011 - 12:16

Jason,

Can you point me to any configuration guides on how to configure the ASA for iPhones? I don't understand how the posture can be configured for iPhones. Wouldn't it be easier to configure a separate profile and not check for posture and just have it authenticate?

Also, I have another question. Is is possible to use the iPhone to monitor the ASAs? We use ASDM currently on our Windows machines to monitor remotely

Jason Gervia Wed, 02/09/2011 - 18:12

Joe,

There's not a real document how to specifically configure for the iPhone when it comes to DAP - I'll look into making one

There are basically 2 components:  Posture Assessment/hostchecking, and DAP

Posture Assessment is essentially a way of reporting on attributes of a given device (using hostscan or CSD)

DAP is taking actions given those attributes and AAA attributes reported by how you log in.

Apple's devices can't participate in posture assessment.  If you have rules in DAP that depend on those hostscan attributes being reported, you have to adjust those rules to allow the iphone access.  Just creating a tunnel group that doesn't run CSD doesn't bypass your DAP rules which are always run.  You could create a tunnel-group for the iphone, but then you would have to have a DAP rule checking for that tunnel-group to allow the iPhone access.

Of course, if you're not using DAP, you don't have these concerns.

ASDM depends on java - until Apple decides to support java on the iDevices, you won't be able to monitor ASAs from them using ASDM.

ekaradimos Tue, 02/08/2011 - 11:20

Hi

I am one step away from succeed in connecting .........

We are trying to connect iPhones/Pads to our enterprise network via device's buit-in CISCO IPSec VPN Client.

iPhone/Pad users use IPSec client to establish a VPN connection between their device and ASA. On their devices all necessary certificates are installed (2 certificates : one identity and one root).

On ASA we have installed THE SAME root certificate and an identity certificate.

The 2 identity certificates HAVE the same issuer (root certificate).

Everything works almost fine. ISAKMP (VPN Phase 1) seems to be OK EXCEPT certificate validation. I get the following errors on the ASA.

There is a strange error for ExtendedKeyUsage and OID not acceptable.

Any help would be welcome.

CRYPTO_PKI: Looking for suitable trustpoints...

CRYPTO_PKI: Found a suitable authenticated trustpoint ASDM_TrustPoint0.

CRYPTO_PKI(make trustedCerts list)CRYPTO_PKI:check_key_usage: ExtendedKeyUsage OID = 1.3.6.1.5.5.8.2.2
CRYPTO_PKI:check_key_usage: ExtendedKeyUsage OID = 1.3.6.1.5.5.8.2.2, NOT acceptable
CRYPTO_PKI:check_key_usage: No acceptable ExtendedKeyUsage OIDs found

CRYPTO_PKI: Certificate validation: Failed, status: 1873. Attempting to retrieve revocation status if necessary

ERROR: Certificate validation failed. Peer certificate key usage is invalid, serial number: 4CF50CA500070000073A, subject name: cn=Vagelis-iphone4,ou=iPhonecert,o=COSMOTE SA,l=ATHENS,st=ATTICA,c=GR

CRYPTO_PKI: Certificate not validated
CRYPTO_PKI: Invalid cert.

Jason Gervia Tue, 02/08/2011 - 11:41

Ekaradimos,

As of 8.0(3)4 for SSL (and 8.0(2) for ipsec)

If the ExtendedKeyUsage extension is present it must contain one of the following for IPsec:

*            id-kp-clientAuth             1.3.6.1.5.5.7.3.2
*            id-kp-ipsecEndSystem         1.3.6.1.5.5.7.3.5
*            id-kp-ipsecTunnel            1.3.6.1.5.5.7.3.6
*            id-kp-ipsecUser              1.3.6.1.5.5.7.3.7 
  • If the ExtendedKeyUsage extension is present it must contain the following for SSL:
*            id-kp-clientAuth             1.3.6.1.5.5.7.3.2

If you're issuing an ID certificate for IPSec and it doesn't have one of those EKUs, you need to tell the ASA to ignore the key usage check.  You can do this under the trustpoint configuration (I would put it on the trustpoint containing the root certificate) :

crypto ca trustpoint 
ignore-ipsec-keyusage
ignore-ssl-keyusage
ekaradimos Tue, 02/08/2011 - 13:19

Thank you very much for your prompt answer.

Now I get another error. Certificate is validated but it checks for CRL.

CRYPTO_PKI(make trustedCerts list)CRYPTO_PKI:check_key_usage: Incorrect KeyUsage (60)
CRYPTO_PKI:check_key_usage: IGNORING IPSec Key Usage check failure

(Thanks. The ignore command worked)

CRYPTO_PKI: Certificate validation: Successful, status: 0. Attempting to retrieve revocation status if necessary

CRYPTO_PKI:Certificate validated. serial number: 62BECDC7000700000745, subject name:  cn=Vagelis-iphone4,ou=iPhonecert,o=COSMOTE SA,l=ATHENS,st=ATTICA,c=GR.

CRYPTO_PKI: Certificate validated without revocation checkFeb 08 23:14:16 [IKEv1]: Group = iPhoneGrpPolicy, IP = 87.202.26.31, Removing peer from peer table failed, no match!
Feb 08 23:14:16 [IKEv1]: Group = iPhoneGrpPolicy, IP = 87.202.26.31, Error: Unable to remove PeerTblEntry

Jason Gervia Wed, 02/09/2011 - 13:05

Ekaradimos

You're actually succeeding in PKI validation (the cert is validated without a revocation check).  You'll need to check your isakmp debugs (debug crypto isakmp 127) to see if phase1/phase 2 of ipsec is succeeding - you're probably failing phase 2 but we won't know that without debugs.

These error messages are just indicative of a VPN being torn down and don't really provide any useful troubleshooting information, so you can ignore them (other than knowing they mean a VPN was torn down)

Removing peer from peer table failed, no match!
Feb 08 23:14:16 [IKEv1]: Group = iPhoneGrpPolicy, IP = 87.202.26.31, Error: Unable to remove PeerTblEntry

tgm@consultant.com Mon, 02/21/2011 - 21:48

A couple of clients are using WRVS4400N small business routers on their networks.  They have joined the craze with both iPhones and iPads and want to remotely connect to their networks with VPN.  Unfortunately, the WRVS4400N does not currently support the Cisco version of IPSEC but does support the standard version of the protocol.

Question one...  Are there plans to add the Cisco version of IPSEC to the WR$VS4400N firmware in the near future?  And if so when?

The other option is to obviously upgrade the router.  But what would you recommend for alternate hardware that supports all of the other features that the WRVS4400N already has plus the ability to connect iPhone and iPad VPN tunnels directly?  Price sensitivity is something to consider too where it will be a very hard sell to convice these clients to shell out a lot more than their current investment.

Actions

Login or Register to take actions

This Discussion

Posted January 31, 2011 at 10:47 AM
Stats:
Replies:37 Avg. Rating:4.5
Views:20286 Votes:0
Shares:1

Related Content

Discussions Leaderboard