Associate
Hello all,
I don't post as often as I should but now I need some help,
We have been banging our collective heads together for over a week now on this. We're trying to setup a certificate authenticated IPSEC VPN between Apple IOS devices and a Cisco ASA.
The certificates are created using a dedicated OpenSSL CA managed by us and the ASA is managed by an external hosting company (so there is a lot of slow back and forth).
Has anyone got this configuration working? The aim is to be able to use the IOS VPN on-demand feature which requires certificate based authentication.
Connecting from the iPhone results in 'unable to verify the server certificate' (or words to that effect and connecting from OSX causes the racoon daemon to die without error.
Connecting using the Cisco client is fine so it must be the way the Racoon/Unix implementation of ISAKMP/IPSEC works for cert auth.
if I turn verify off for racoon on OSX then the connection does work but this isn't an option for the iPhone (it also defeats the object of having certificates in the first place).
The CA cert has been imported on both the device and in OSX. The server cert has a DNS based subjectAltName but we've also tried with IP.
The server cert is in a different OU to the clients but I wouldn't have thought this would matter.
My gut feeling is that it's something in the certificate generation so if anyone could dump an X509 certificate (without keys obviously, just to show the make up of the subjectName and what other parameters are in it) that would be really useful.
Thanks in advance!
I don't post as often as I should but now I need some help,
We have been banging our collective heads together for over a week now on this. We're trying to setup a certificate authenticated IPSEC VPN between Apple IOS devices and a Cisco ASA.
The certificates are created using a dedicated OpenSSL CA managed by us and the ASA is managed by an external hosting company (so there is a lot of slow back and forth).
Has anyone got this configuration working? The aim is to be able to use the IOS VPN on-demand feature which requires certificate based authentication.
Connecting from the iPhone results in 'unable to verify the server certificate' (or words to that effect and connecting from OSX causes the racoon daemon to die without error.
Connecting using the Cisco client is fine so it must be the way the Racoon/Unix implementation of ISAKMP/IPSEC works for cert auth.
if I turn verify off for racoon on OSX then the connection does work but this isn't an option for the iPhone (it also defeats the object of having certificates in the first place).
The CA cert has been imported on both the device and in OSX. The server cert has a DNS based subjectAltName but we've also tried with IP.
The server cert is in a different OU to the clients but I wouldn't have thought this would matter.
My gut feeling is that it's something in the certificate generation so if anyone could dump an X509 certificate (without keys obviously, just to show the make up of the subjectName and what other parameters are in it) that would be really useful.
Thanks in advance!
