Ipsec and iphone v3 - Page 2

Jack Daniel · #11 (**permalink**) 06-26-2009, 12:43 AM

@Wingman, this appears to be a new issue with the 3.0 software on the iPhone/iPod Touch. We have an open case on the issue and QA is working on it. Apple has apparently changed the behavior of the Cisco IPSec client in 3.0 and is not accepting the certificates as they were in prior versions.

The best temporary workaround is to use L2TP over IPSec until we can sort out what Apple did to certificate handling int he "Cisco" VPNs.

Jack

wingman · #12 (**permalink**) 06-26-2009, 07:57 AM

Quote:

Originally Posted by Jack Daniel

@Wingman, this appears to be a new issue with the 3.0 software on the iPhone/iPod Touch. We have an open case on the issue and QA is working on it. Apple has apparently changed the behavior of the Cisco IPSec client in 3.0 and is not accepting the certificates as they were in prior versions.

The best temporary workaround is to use L2TP over IPSec until we can sort out what Apple did to certificate handling int he "Cisco" VPNs.

Jack

thanks Jack

Jack Daniel · #13 (**permalink**) 06-26-2009, 05:12 PM

Wingman-

Can you check your X.509 cert and make sure that the listed hostname both matches the ASG's hostname and is in a FQDN (host.domain.ext) format?

Also, please check under Site-to-site VPN > IPSec > Advanced tab, and make sure Strict Policy is not selected in the CRL Box.

Thanks
Jack

wingman · #14 (**permalink**) 06-26-2009, 06:36 PM

I haven't configured Site-to-site at all. I only configured remote access>>ipsec and remote access>>cisco vpn client

however, I dont have the strict policy enabled in neither site-to-site nor remote access

Jack Daniel · #15 (**permalink**) 06-26-2009, 09:04 PM

OK, thanks- that setting actually carries over to Remote access. Did you get a chance to chack and compare the hostname on the ASG to the X.509 cert?

Jack

BAlfson · #16 (**permalink**) 06-26-2009, 09:44 PM

Jack, do you mean that the selection of 'Strict policy' in S-t-S IPsec or Remote Access IPsec affects that for both AND for the Cisco VPN? If that's the case, then I think that you should submit it as a bug in the 7.5 beta contest... you need to get on the scoreboard!

Seriously, since this is some kind of global setting, at least the documentation should be reworked. The good news is that selecting it in S-t-S results in it being selected in Remote Access, too.

Cheers - Bob
PS Does it also affect L2TP over IPsec if using a cert instead of a PSK?

wingman · #17 (**permalink**) 07-16-2009, 08:32 AM

Quote:

Originally Posted by Jack Daniel

OK, thanks- that setting actually carries over to Remote access. Did you get a chance to chack and compare the hostname on the ASG to the X.509 cert?

Jack

Yes Jack,the hostnames are then same. There is a relevant thread I've opened where my connection is being dropped when trying to connect my iphone. I would appreciate if you could have a look

wingman · #18 (**permalink**) 09-05-2009, 12:05 AM

i 've just tested v 7.490 and it seems to work with iphone v3

I am able to connect to user portal and webadmin and trying to resolve why I can't connect to the internet

jplahl · #19 (**permalink**) 09-05-2009, 09:53 AM

Cisco VPN with iPhone is working with 7.490.

Quote:

I am able to connect to user portal and webadmin and trying to resolve why I can't connect to the internet

Do you have allow http proxy access to the VPN Pool(Cisco) in the allowed networks?
I also have to configure the proxy in the vpn configuration of the iPhone.

Joachim

wingman · #20 (**permalink**) 09-05-2009, 09:57 AM

haven't done the configuration proxy on my iphone as I am using transparent proxy on ASG
(I've opened a new thread for the issue

)

Thanks