Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

IPsec Remote Access from iOS using certificates not asking for password

Hi guys

I can't see the wood for the trees -- so please forgive me this (probably stupid) question:

When using PSK for IPsec without certificates, everything is working properly. It asks for password (or I save my password) click Connect and it works.

However, when using Certificates, there is a timeout and it does not ask for password at all when connecting.

I have generated two locally-signed certificate in the Certificate's menu as explained in the knowledge base articles. The remote certificate using Advanced Settings > Certificate ID > DER ASN1 DN (X.509) and the local certificate using Advanced Settings > Certificate ID > DNS with the FQDN of the firewall.

Then I clicked Export Configuration and created three new files with the public key, private key and CA certificate and generated the required PFX file for iOS.

openssl pkcs12 -cafile ca.pem -inkey private.key -in public.pem -export -out ios.pfx

I imported the Certificate on my iPad, created the VPN profile and tried to connect. It says connecting for almost a minute and then disconnects with the error:

Received IKE message with invalid SPI (AA85045D). Deny Session: Couldn't authenticate the remote gateway. Check the authentication settings on both devices.

But it won't prompt for username / password.

Am I doing it wrong?

And why is IKEv2 still not supported? ugh :/



Edited TAGs
[edited by: Erick Jan at 11:07 PM (GMT -7) on 7 Oct 2024]
Parents
  • Hi  ,

         There are a few important things we need to take care when using certificates to connect to XG from iOS devices.

    1. Cannot use appliance cert in the policy.

    2. Server cert should have SAN -> IP address as the public IP (WAN ip address on which the IPSec RA is configured)

    3. Client cert should have X.509 in advance settings-> certificate ID (Select X.509 and leave the next field blank)

           4. Should enable the CA cert as trusted from the iOS device when it shows a popup

    With these changes, we should be able to connect to XG. Please retry with the above changes.

    Also which SFOS release version are you using? Better way will be to import the iOS vpn profile from vpn portal. Are you facing any issues with the default profile file downloaded from vpn portal? 

Reply
  • Hi  ,

         There are a few important things we need to take care when using certificates to connect to XG from iOS devices.

    1. Cannot use appliance cert in the policy.

    2. Server cert should have SAN -> IP address as the public IP (WAN ip address on which the IPSec RA is configured)

    3. Client cert should have X.509 in advance settings-> certificate ID (Select X.509 and leave the next field blank)

           4. Should enable the CA cert as trusted from the iOS device when it shows a popup

    With these changes, we should be able to connect to XG. Please retry with the above changes.

    Also which SFOS release version are you using? Better way will be to import the iOS vpn profile from vpn portal. Are you facing any issues with the default profile file downloaded from vpn portal? 

Children