iOS 10 IPSEC VPN to Sophos XG w/certificate-based authentication

Chobo997,

can you share your IPSec policy?

Thanks.

Luk,

Thanks for the reply. I followed this knowledge base article to set things up: https://community.sophos.com/kb/en-us/123137. Connections using "pre-shared key" are now working.

However, certificate-based authentication continues to be a no-go. Any thoughts on the exact configuration needed for an iOS device to successfully connect to the XG Firewall with certificates?

Thanks so much,
chobo997

Chobo997,

you have to pay attention on certificates you have configured inside the IPSec policy. If you share what you have configured, we have more clarity.

Thanks

HI chobo997,

We would need to verify the certificate on both ends, Could you send a snaps of the certificate 

1. Certificate used on Local Connection 

2. Certificate used on Remote location 

Kindly note that both certificate must be installed on Local XG device and Remote Device .

Thanks and Regards

Aditya Patel | Network and Security engineer.

HI chobo997,

We would need to verify the certificate on both ends, Could you send a snaps of the certificate 

1. Certificate used on Local Connection 

2. Certificate used on Remote location 

Kindly note that both certificate must be installed on Local XG device and Remote Device .

Thanks and Regards

Aditya Patel | Network and Security engineer.

Aditya,

a cross-trust is a nice method of strong security, however you should also allows us to configure IPSec using only Server Side Certificate.

Also the 2 way trust on Certificates should be something even available on WAF.

There is even a feature request on that.

Sorry if I mentioned this lack here.

Anyway we wait for Chobo997's screenshot to see what is wrong with its configuration.

Thanks for your time!

Aditya and ferrara,

Thank you both for your ideas and willingness to help. At this point, I've tried every possible configuration for certificate-based authentication with the CISCO IPsec client. Nothing seems to work on the iOS 10 devices. Given the number of hours I've put into this, I'm going to wait until there's documentation of this particular method (certificate-based auth. w/iOS)  actually working in a production environment. Thanks again for all of your help!

chobo997

Hello together,

are there any news on this topic?

I've set up the CISCO VPN Client connection with a mobileconfig-file.

The connection was already working 2 or 3 times, but most of the time it hangs until a timeout occurs with the following log entries in ipsec.log:

Apr 29 21:13:18 "Cisco_VPN-1"[1] <ip> #39: STATE_MAIN_R2: sent MR2, expecting MI3

Apr 29 21:13:18 "Cisco_VPN-1"[1] <ip> #39: ignoring informational payload, type IPSEC_INITIAL_CONTACT

Apr 29 21:13:18 "Cisco_VPN-1"[1] <ip> #39: Main mode peer ID is ID_DER_ASN1_DN: '<cert>'

Apr 29 21:13:18 "Cisco_VPN-1"[1] <ip> #39:   digest algorithm not supported

Apr 29 21:13:18 "Cisco_VPN-1"[1] <ip> #39: invalid certificate signature from "<cert>"

Apr 29 21:13:18 "Cisco_VPN-1"[1] <ip> #39: X.509 certificate rejected

Apr 29 21:13:18 "Cisco_VPN-1"[1] <ip> #39: I am sending my cert

Apr 29 21:13:18 "Cisco_VPN-1"[1] <ip> #39: transition from state STATE

_MAIN_R2 to state STATE_MAIN_R3

Thanks and best regards

DomNik

Hi

Has anyone resolved this issue?

I keep getting same error, server identity incorrect, i can confirm it has both the certificate on the IOS device.

Thanks

Aditya Patel sachingurung 

Can anyone from Sophos try to setup IPsec on IOS with certificate based authentication and update us if you got it working? 

It seems this has never worked going by the posts and no one from Sophos has been able to comment on it.

Thanks