Thread Info
  • State Not Answered
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 9 replies
  • Subscribers 29 subscribers
  • Views 25118 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

iOS 10 IPSEC VPN to Sophos XG w/certificate-based authentication

c h

Hello fellow XG users,

I'm attempting to establish an IPSEC VPN tunnel from several different iOS devices back to the Sophos XG Firewall. I've followed the steps in various UTM & XG knowledge base articles in an attempt to piece together a working solution, but nothing seems to work.

So far, I've built profiles with the Apple configuration utility and also downloaded the .mobileconfig file from the user portal. The one thing that's consistent is the error message I receive on the devices: "Could not validate the server certificate."

Any advice/guidance from folks who have successfully established an IPSEC tunnel from iOS to XG with certificate-based authentication?

Thanks in advance for your help! 

chobo997



This thread was automatically locked due to age.
Parents
  • 0

    Chobo997,

    can you share your IPSec policy?

    Thanks.

  • 0 in reply to lferrara

    Luk,

    Thanks for the reply. I followed this knowledge base article to set things up: https://community.sophos.com/kb/en-us/123137. Connections using "pre-shared key" are now working.

    However, certificate-based authentication continues to be a no-go. Any thoughts on the exact configuration needed for an iOS device to successfully connect to the XG Firewall with certificates?

    Thanks so much,
    chobo997

  • 0 in reply to c h

    Chobo997,

    you have to pay attention on certificates you have configured inside the IPSec policy. If you share what you have configured, we have more clarity.

    Thanks

  • 0 in reply to c h

    HI chobo997,

    We would need to verify the certificate on both ends, Could you send a snaps of the certificate 

    1. Certificate used on Local Connection 

    2. Certificate used on Remote location 

    Kindly note that both certificate must be installed on Local XG device and Remote Device .

    Thanks and Regards

    Aditya Patel | Network and Security engineer.

  • 0 in reply to Aditya Patel

    Aditya,

    a cross-trust is a nice method of strong security, however you should also allows us to configure IPSec using only Server Side Certificate.

    Also the 2 way trust on Certificates should be something even available on WAF.

    There is even a feature request on that.

    Sorry if I mentioned this lack here.

    Anyway we wait for Chobo997's screenshot to see what is wrong with its configuration.

    Thanks for your time!

  • 0 in reply to lferrara

    Aditya and ferrara,

    Thank you both for your ideas and willingness to help. At this point, I've tried every possible configuration for certificate-based authentication with the CISCO IPsec client. Nothing seems to work on the iOS 10 devices. Given the number of hours I've put into this, I'm going to wait until there's documentation of this particular method (certificate-based auth. w/iOS)  actually working in a production environment. Thanks again for all of your help!

    chobo997

  • 0 in reply to c h

    Hello together,

    are there any news on this topic?

    I've set up the CISCO VPN Client connection with a mobileconfig-file.

    The connection was already working 2 or 3 times, but most of the time it hangs until a timeout occurs with the following log entries in ipsec.log:

    Apr 29 21:13:18 "Cisco_VPN-1"[1] <ip> #39: STATE_MAIN_R2: sent MR2, expecting MI3

    Apr 29 21:13:18 "Cisco_VPN-1"[1] <ip> #39: ignoring informational payload, type IPSEC_INITIAL_CONTACT

    Apr 29 21:13:18 "Cisco_VPN-1"[1] <ip> #39: Main mode peer ID is ID_DER_ASN1_DN: '<cert>'

    Apr 29 21:13:18 "Cisco_VPN-1"[1] <ip> #39:   digest algorithm not supported

    Apr 29 21:13:18 "Cisco_VPN-1"[1] <ip> #39: invalid certificate signature from "<cert>"

    Apr 29 21:13:18 "Cisco_VPN-1"[1] <ip> #39: X.509 certificate rejected

    Apr 29 21:13:18 "Cisco_VPN-1"[1] <ip> #39: I am sending my cert

    Apr 29 21:13:18 "Cisco_VPN-1"[1] <ip> #39: transition from state STATE

    _MAIN_R2 to state STATE_MAIN_R3

     

     

    Thanks and best regards

    DomNik

  • 0 in reply to DomNik

    Hi

    Has anyone resolved this issue?

    I keep getting same error, server identity incorrect, i can confirm it has both the certificate on the IOS device.

    Thanks

Reply Children
No Data