IPAD VPN? certifiacte authentication?

SYED WAJID SHAH · ‎07-13-2010

hi there,

can someone guide me how can I setup ASA for our IPAD client for PKI (digital certificate authntication)? Our IPAD user shouldn't need to input any user/password for connect our vpn. I want to install certificate on both side and let them authnticate.

is there any other way to do it?

can I do it with self sign certificate? or

do I need to buy a third part certificate?

any configs links and exmaple would be appreciated.

regards,

Syed,.

Jason Gervia · ‎07-13-2010

Check out Apple's deployment guide for the ipad

http://manuals.info.apple.com/en_US/Enterprise_Deployment_Guide.pdf

It cover's the requirements for the ipad/iphone.

For certificate authentication, you can follow this link:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080930f21.shtml

You should use these ipsec/isakmp settings, minus the 'mode transport' for the vpn client:

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/l2tp_ips.html#wp1046219

And obviously change your isakmp policy to not use pre-shared key.

--Jason

SYED WAJID SHAH · ‎07-14-2010

Jason, Many thanks for your help.

I'm not sure what's worng with my config, group-policy and tunnel-group are working. I can get my IPAD working fine with local authentication but it use the crypto map for diffrent group. for expamle i created two crypto map 100 and 200. But when I run show cry ip sa command i see the that crypto map tag is use for 100 which is for another type of client vpn group.

I've uploaded cert. on IPAD but I'm unable to get authenticated via it? can u tak a look on attached config and below some show commands results, and let me know how can i correct my configs so IPAD can use certificate authentication instead of local.

Regards,

Crypto map tag: Remote_VPN, seq num: 100, local addr: 195.59.149.185

      local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)
      remote ident (addr/mask/prot/port): (10.20.202.2/255.255.255.255/0/0)
      current_peer: 195.59.149.180, username: cisco
      dynamic allocated peer ip: 10.20.202.2

      #pkts encaps: 1, #pkts encrypt: 1, #pkts digest: 1
      #pkts decaps: 1, #pkts decrypt: 1, #pkts verify: 1
      #pkts compressed: 0, #pkts decompressed: 0
      #pkts not compressed: 1, #pkts comp failed: 0, #pkts decomp failed: 0
      #pre-frag successes: 0, #pre-frag failures: 0, #fragments created: 0
      #PMTUs sent: 0, #PMTUs rcvd: 0, #decapsulated frgs needing reassembly: 0
      #send errors: 0, #recv errors: 0

      local crypto endpt.: 195.59.149.185/4500, remote crypto endpt.: 195.59.149.180/12050
      path mtu 1500, ipsec overhead 82, media mtu 1500
      current outbound spi: 0990CB50

    inbound esp sas:
      spi: 0x4DA962C6 (1302946502)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={RA, Tunnel, NAT-T-Encaps, }
         slot: 0, conn_id: 1925120, crypto-map: Remote_VPN
         sa timing: remaining key lifetime (sec): 3594
         IV size: 16 bytes
         replay detection support: Y
Anti replay bitmap:
        0x00000000 0x00000003
    outbound esp sas:
      spi: 0x0990CB50 (160484176)
         transform: esp-aes esp-sha-hmac no compression
         in use settings ={RA, Tunnel, NAT-T-Encaps, }
         slot: 0, conn_id: 1925120, crypto-map: Remote_VPN
         sa timing: remaining key lifetime (sec): 3594
         IV size: 16 bytes
         replay detection support: Y
Anti replay bitmap:
        0x00000000 0x00000001

Username     : cisco                  Index        : 465
Assigned IP : 10.20.202.2            Public IP    : 195.59.149.180
Protocol     : IKE IPsecOverNatT
License      : IPsec
Encryption   : 3DES AES128            Hashing      : SHA1
Bytes Tx     : 223                    Bytes Rx     : 2212
Pkts Tx      : 2                      Pkts Rx      : 36
Pkts Tx Drop : 0                      Pkts Rx Drop : 0
Group Policy : IPAD_VPN               Tunnel Group : IPAD_VPN
Login Time   : 10:23:35 GMT/BST Wed Jul 14 2010
Duration     : 0h:06m:17s
NAC Result   : Unknown
VLAN Mapping : N/A                    VLAN         : none

IKE Tunnels: 1
IPsecOverNatT Tunnels: 1

IKE:
Tunnel ID    : 465.1
UDP Src Port : 12198                  UDP Dst Port : 4500
IKE Neg Mode : Aggressive             Auth Mode    : preSharedKeys
Encryption   : 3DES                   Hashing      : SHA1
Rekey Int (T): 3600 Seconds           Rekey Left(T): 3230 Seconds
D/H Group    : 2
Filter Name :
Client OS    : iPhone OS              Client OS Ver: 3.2

IPsecOverNatT:
Tunnel ID    : 465.2
Local Addr   : 0.0.0.0/0.0.0.0/0/0
Remote Addr : 10.20.202.2/255.255.255.255/0/0
Encryption   : AES128                 Hashing      : SHA1
Encapsulation: Tunnel
Rekey Int (T): 3600 Seconds           Rekey Left(T): 3228 Seconds
Idle Time Out: 0 Minutes              Idle TO Left : 0 Minutes
Bytes Tx     : 223                    Bytes Rx     : 2212
Pkts Tx      : 2                      Pkts Rx      : 36

NAC:
Reval Int (T): 0 Seconds              Reval Left(T): 0 Seconds
SQ Int (T)   : 0 Seconds              EoU Age(T)   : 373 Seconds
Hold Left (T): 0 Seconds              Posture Token:
Redirect URL :