Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 13 replies
  • Subscribers 1 subscriber
  • Views 3889 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

iphone 4.2 and vpn ipsec

equintana
Hi,


I have an iphone 4.2 device and tried to follow the document about installing ipsec vpn. Everything went fine until an error message was shown something like" not validated the cert"....

Is strange because as I could readed at this forum, the cert has the same name than my server....

Which could be the problem then?

Regards


This thread was automatically locked due to age.
Parents
  • 0
    i used the instructions here https://support.astaro.com/support/index.php/iPhone_IPSec_VPN_connection_to_Astaro

    but i think i have the same problem here..

    2011:02:12-12:46:42 bird-eu pluto[30551]: packet from 2.105.216.115:500: received Vendor ID payload [RFC 3947]
    2011:02:12-12:46:42 bird-eu pluto[30551]: packet from 2.105.216.115:500: ignoring Vendor ID payload [4df37928e9fc4fd1b3262170d515c662]
    2011:02:12-12:46:42 bird-eu pluto[30551]: packet from 2.105.216.115:500: ignoring Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
    2011:02:12-12:46:42 bird-eu pluto[30551]: packet from 2.105.216.115:500: ignoring Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
    2011:02:12-12:46:42 bird-eu pluto[30551]: packet from 2.105.216.115:500: ignoring Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
    2011:02:12-12:46:42 bird-eu pluto[30551]: packet from 2.105.216.115:500: ignoring Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
    2011:02:12-12:46:42 bird-eu pluto[30551]: packet from 2.105.216.115:500: ignoring Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
    2011:02:12-12:46:42 bird-eu pluto[30551]: packet from 2.105.216.115:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
    2011:02:12-12:46:42 bird-eu pluto[30551]: packet from 2.105.216.115:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
    2011:02:12-12:46:42 bird-eu pluto[30551]: packet from 2.105.216.115:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
    2011:02:12-12:46:42 bird-eu pluto[30551]: packet from 2.105.216.115:500: received Vendor ID payload [XAUTH]
    2011:02:12-12:46:42 bird-eu pluto[30551]: packet from 2.105.216.115:500: ignoring Vendor ID payload [Cisco-Unity]
    2011:02:12-12:46:42 bird-eu pluto[30551]: packet from 2.105.216.115:500: received Vendor ID payload [Dead Peer Detection]
    2011:02:12-12:46:42 bird-eu pluto[30551]: "D_REF_jHTXqeaMSO"[4] 2.105.216.115 #19: responding to Main Mode from unknown peer 2.105.216.115
    2011:02:12-12:46:43 bird-eu pluto[30551]: "D_REF_jHTXqeaMSO"[4] 2.105.216.115 #19: NAT-Traversal: Result using RFC 3947: no NAT detected
    2011:02:12-12:46:43 bird-eu pluto[30551]: "D_REF_jHTXqeaMSO"[4] 2.105.216.115 #19: ignoring informational payload, type IPSEC_INITIAL_CONTACT
    2011:02:12-12:46:43 bird-eu pluto[30551]: "D_REF_jHTXqeaMSO"[4] 2.105.216.115 #19: Peer ID is ID_DER_ASN1_DN: 'C=dk, L=copenhagen, O=gilnet, CN=Gilbert, E=tg@floss.dk'
    2011:02:12-12:46:43 bird-eu pluto[30551]: "D_REF_jHTXqeaMSO"[4] 2.105.216.115 #19: crl not found
    2011:02:12-12:46:43 bird-eu pluto[30551]: "D_REF_jHTXqeaMSO"[4] 2.105.216.115 #19: certificate status unknown
    2011:02:12-12:46:43 bird-eu pluto[30551]: "D_REF_jHTXqeaMSO"[4] 2.105.216.115 #19: we have a cert and are sending it
    2011:02:12-12:46:43 bird-eu pluto[30551]: "D_REF_jHTXqeaMSO"[4] 2.105.216.115 #19: sent MR3, ISAKMP SA established
    2011:02:12-12:46:43 bird-eu pluto[30551]: "D_REF_jHTXqeaMSO"[4] 2.105.216.115 #19: sending XAUTH request
    2011:02:12-12:46:44 bird-eu pluto[30551]: packet from 2.105.216.115:500: Informational Exchange is for an unknown (expired?) SA
    2011:02:12-12:46:53 bird-eu pluto[30551]: ERROR: asynchronous network error report on eth0 for message to 2.105.216.115 port 500, complainant 2.105.216.115: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
    2011:02:12-12:47:01 bird-eu pluto[30551]: ERROR: asynchronous network error report on eth0 for message to 2.105.216.115 port 500, complainant 2.105.216.115: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
Reply
  • 0
    i used the instructions here https://support.astaro.com/support/index.php/iPhone_IPSec_VPN_connection_to_Astaro

    but i think i have the same problem here..

    2011:02:12-12:46:42 bird-eu pluto[30551]: packet from 2.105.216.115:500: received Vendor ID payload [RFC 3947]
    2011:02:12-12:46:42 bird-eu pluto[30551]: packet from 2.105.216.115:500: ignoring Vendor ID payload [4df37928e9fc4fd1b3262170d515c662]
    2011:02:12-12:46:42 bird-eu pluto[30551]: packet from 2.105.216.115:500: ignoring Vendor ID payload [8f8d83826d246b6fc7a8a6a428c11de8]
    2011:02:12-12:46:42 bird-eu pluto[30551]: packet from 2.105.216.115:500: ignoring Vendor ID payload [439b59f8ba676c4c7737ae22eab8f582]
    2011:02:12-12:46:42 bird-eu pluto[30551]: packet from 2.105.216.115:500: ignoring Vendor ID payload [4d1e0e136deafa34c4f3ea9f02ec7285]
    2011:02:12-12:46:42 bird-eu pluto[30551]: packet from 2.105.216.115:500: ignoring Vendor ID payload [80d0bb3def54565ee84645d4c85ce3ee]
    2011:02:12-12:46:42 bird-eu pluto[30551]: packet from 2.105.216.115:500: ignoring Vendor ID payload [9909b64eed937c6573de52ace952fa6b]
    2011:02:12-12:46:42 bird-eu pluto[30551]: packet from 2.105.216.115:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03]
    2011:02:12-12:46:42 bird-eu pluto[30551]: packet from 2.105.216.115:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02]
    2011:02:12-12:46:42 bird-eu pluto[30551]: packet from 2.105.216.115:500: ignoring Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n]
    2011:02:12-12:46:42 bird-eu pluto[30551]: packet from 2.105.216.115:500: received Vendor ID payload [XAUTH]
    2011:02:12-12:46:42 bird-eu pluto[30551]: packet from 2.105.216.115:500: ignoring Vendor ID payload [Cisco-Unity]
    2011:02:12-12:46:42 bird-eu pluto[30551]: packet from 2.105.216.115:500: received Vendor ID payload [Dead Peer Detection]
    2011:02:12-12:46:42 bird-eu pluto[30551]: "D_REF_jHTXqeaMSO"[4] 2.105.216.115 #19: responding to Main Mode from unknown peer 2.105.216.115
    2011:02:12-12:46:43 bird-eu pluto[30551]: "D_REF_jHTXqeaMSO"[4] 2.105.216.115 #19: NAT-Traversal: Result using RFC 3947: no NAT detected
    2011:02:12-12:46:43 bird-eu pluto[30551]: "D_REF_jHTXqeaMSO"[4] 2.105.216.115 #19: ignoring informational payload, type IPSEC_INITIAL_CONTACT
    2011:02:12-12:46:43 bird-eu pluto[30551]: "D_REF_jHTXqeaMSO"[4] 2.105.216.115 #19: Peer ID is ID_DER_ASN1_DN: 'C=dk, L=copenhagen, O=gilnet, CN=Gilbert, E=tg@floss.dk'
    2011:02:12-12:46:43 bird-eu pluto[30551]: "D_REF_jHTXqeaMSO"[4] 2.105.216.115 #19: crl not found
    2011:02:12-12:46:43 bird-eu pluto[30551]: "D_REF_jHTXqeaMSO"[4] 2.105.216.115 #19: certificate status unknown
    2011:02:12-12:46:43 bird-eu pluto[30551]: "D_REF_jHTXqeaMSO"[4] 2.105.216.115 #19: we have a cert and are sending it
    2011:02:12-12:46:43 bird-eu pluto[30551]: "D_REF_jHTXqeaMSO"[4] 2.105.216.115 #19: sent MR3, ISAKMP SA established
    2011:02:12-12:46:43 bird-eu pluto[30551]: "D_REF_jHTXqeaMSO"[4] 2.105.216.115 #19: sending XAUTH request
    2011:02:12-12:46:44 bird-eu pluto[30551]: packet from 2.105.216.115:500: Informational Exchange is for an unknown (expired?) SA
    2011:02:12-12:46:53 bird-eu pluto[30551]: ERROR: asynchronous network error report on eth0 for message to 2.105.216.115 port 500, complainant 2.105.216.115: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
    2011:02:12-12:47:01 bird-eu pluto[30551]: ERROR: asynchronous network error report on eth0 for message to 2.105.216.115 port 500, complainant 2.105.216.115: Connection refused [errno 111, origin ICMP type 3 code 3 (not authenticated)]
Children
  • 0 in reply to Gilbert
    Hi guys,

    You might try this, I've had the exact same error as the one Gilbert posted (the log file). It took me some time to figure it out but, We've managed to get it working now.

    What you have to make sure is that the hostname of your Astaro device and the override common name in your Cisco VPN Client settings are exactly the same.

    So please; check under Management --> System Settings --> Hostname, [Hostname:] name.domain.com

    and

    Remote Access --> Cisco VPN Client -->iPhone, [Override hostname:] name.domain.com

    These two settings have to be identical for the certificate to work.

    Also, if they differ from each other, you have to replace one of the names (make sure this name is externally resolvable). (be aware that when you change you Hostname, you also have to regenerate the signing certificate under Remote Access menu --> Certificate Management. (second point to take in consideration before regenerating the signing certificate is that when you have existing (SSL) certificates, you will have to replace the old ones with the new ones after regenerating the signing certificate.)

    Greetz,

    Roelof

    Please let me know (here or PM) if you have any further questions.
  • 0 in reply to RoelofW
    I have the same log messages when I´m trying to start the VPN config in IPAD.

    I tried the change of names, nothing....
  • 0 in reply to samuel.lao85
    Hi there Samuel,

    What version of iOS are you running on your iPad?

    Would it be possible for you to post the logfiles? Or, copy the error messages, on both iPad and the ones generated in your Astaro device.

    Greetz

    Roelof
  • 0 in reply to RoelofW
    iOS version is 5.1.1

    The error messages in astaro´s log live are the same as Gilbert, the only difference would be IPAD IP.

    The message in IPAD would be "could not validate the server certificate", it appears when we try to initiate the VPN connection...

    I checked this:
        - Management - > System Settings -> Hostname -> astaro.domain.com
        - Remote Access -> Cisco VPN -> Global -> interface  = External (WAN)
                                                                  Serv Cert = astaro.domain.com
                                                                   Pool = VPN cisco pool
                                                                   Local Net = Internal network
                                                                   Users = vpnuser
                                                                   Automatic pcket checked
        - Remote Access->Cisco VPN -> iOS dev ->connection name = Company (IPSEC)
                                                          overr hostname= astaro.domain.com

    I also tried overr hostname = astaro´s public IP (I read it from a german forum), but nothing...
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML