IPSEC VPN on IOS using Certifcates

Hi,

I am in process of testing some MDM solution which will push VPN solution to IOS devices and having issues.

This has been raised many times before but nothing has been fixed with regards to this.

The only option from the MDM solution is to select one certificate being the remote certificate in Sophos XG setup.  I am mentioning this before i get a reply as before mentioning i also need to import both the certificates for it to work. I and others within the forums have already tried this and it still failed.

The error as always is "The servers certificates identity is incorrect"

Logs from sophos xg is:

IPSec
Failed
 
parsing IKE message from XXXXXXXXXXX [4558] failed

Any chance someone from Sophos could look into this? 

  • Hi  

    During the beta stage/forums you had raised an issue with regards to this, i am not sure if you managed to get it fixed or not, we still having same issues.

    Old thread https://community.sophos.com/products/xg-firewall/sophos-xg-beta-programs/sfos-v170-beta/f/sfos-v170-beta-issues-bugs/97037/possible-bug---iphone-ipsec-vpn-connection-install-download

    Thanks

  • In reply to waghelak:

    Hey  

    You may be experiencing a different issue, as that thread you referenced and it's bug ID (NC-22793) has already been resolved.

    Which firmware version is your XG firewall appliance running? Have you inquired with support of your third-party MDM solution, to verify if there are any other potential workarounds or steps for this one certificate restriction?

    Also, have you already tried our Sophos Mobile Control solution?

    Regards,

    FloSupport | Community Support Engineer

  • In reply to FloSupport:

    Hi  

    We are currently running the latest version SFOS 17.0.6 MR-6.  We are in process of testing various MDM solutions and until now we have not been able to achieve what is required.  We are looking to enable per-app VPN which requires certificate authentication for it to be able to work.

    Thanks

  • In reply to waghelak:

    Hey  

    I'd suggest to take a look at our Sophos Mobile Control and this related KB article. I would also advise to contact your Sophos Partner/Reseller, if you had questions regarding product trialing and how to best utilize this product in your network environment.

    Regards,

    FloSupport | Community Support Engineer

  • In reply to FloSupport:

    Hi  

    I fully understand you pushing for the sophos version to be tried as well but it still does not solve the issue with certificate authentication with IOS.  I am surprised rather than getting to the bottom of this issue i am being asked to trial another Sophos product.

    Currently with all the issues we are having after suggesting the company to go with Sophos XG, i am in no position to suggest another Sophos product.

    Thanks

  • In reply to waghelak:

    Which VPN solution are you currently trying to push out to your iOS clients? Have you also attempted to use Preshared Key authentication for troubleshooting purposes? Also note our KB article for the Cisco VPN client.

    Regards,

    FloSupport | Community Support Engineer

  • In reply to FloSupport:

    Hi

    We are trying to use the IPSEC with certificate authentication.  We don't have any issues using preshared key which works as we expect.  

    There are number various post by different users from past year having had similar issue with certificates and IPSEC VPN with IOS. 

    Preshared key has always worked although VPN on demand, per-app VPN requires certificates on IOS and preshared key is not something our CAB (change request board) will approve.

    Thanks

  • In reply to waghelak:

    In regards to the certificates you are utilizing for authentication, are you usingthe XG's Appliance Certificate for the local certificate? How did you have this configured?

    Thanks,

    FloSupport | Community Support Engineer

  • In reply to FloSupport:

    Hi

    The local certificate is the XG Appliance certificate and for the remote certificate we have created a self signed certificate through the XG appliance.

    Thanks

  • In reply to FloSupport:

    Maybe still not works.

    Same situation. PSK connection is good, but cert connection does not work at iOS. (SC Client is working)

    Certificate identity is incorrect

    (images deleted)

  • In reply to FoW:

    Hi  

    Would it be possible to please enable the support access tunnel on your appliance and PM me with the ID for a closer look?

    Thanks!

  • In reply to FoW:

    I guess, this is an open Bug in Authentication via Certificate right now. 

    Saw a bug ID attached to V17.5 MR4. 

  • In reply to FloSupport:

    Thanks. I will contacts.

  • In reply to LuCar Toni:

    SFOS 17.5 MR4 Released

     

    • NC-42099 [IPsec] Sophos Connect Client cannot connect to Sophos Connect Client policy using digital certificate