Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

IPsec Remote Access from iOS using certificates not asking for password

Hi guys

I can't see the wood for the trees -- so please forgive me this (probably stupid) question:

When using PSK for IPsec without certificates, everything is working properly. It asks for password (or I save my password) click Connect and it works.

However, when using Certificates, there is a timeout and it does not ask for password at all when connecting.

I have generated two locally-signed certificate in the Certificate's menu as explained in the knowledge base articles. The remote certificate using Advanced Settings > Certificate ID > DER ASN1 DN (X.509) and the local certificate using Advanced Settings > Certificate ID > DNS with the FQDN of the firewall.

Then I clicked Export Configuration and created three new files with the public key, private key and CA certificate and generated the required PFX file for iOS.

openssl pkcs12 -cafile ca.pem -inkey private.key -in public.pem -export -out ios.pfx

I imported the Certificate on my iPad, created the VPN profile and tried to connect. It says connecting for almost a minute and then disconnects with the error:

Received IKE message with invalid SPI (AA85045D). Deny Session: Couldn't authenticate the remote gateway. Check the authentication settings on both devices.

But it won't prompt for username / password.

Am I doing it wrong?

And why is IKEv2 still not supported? ugh :/



Edited TAGs
[edited by: Erick Jan at 11:07 PM (GMT -7) on 7 Oct 2024]
Parents Reply Children
No Data