4

I have an ASA that's providing IPsec VPN services using certificate authentication (no xauth, just the certs). It works perfectly with the Cisco IPsec VPN Client. Now I'm trying to let iPhones connect.

I've installed the CA cert and a client certificate on the iPhone with a profile using iPCU, along with the VPN configuration. Then connecting gives the error "Could not validate the server certificate". Additionally, the ASA logs the error "Received encrypted Oakley Informational packet with invalid payloads".

FWIW, I receive the same invalid payload error when trying to use the Snow Leopard IPsec client to connect.

Has anyone successfully gotten the iPhone IPsec client to work with certificate auth?

Ben Jencks
  • 1,351
  • 8
  • 13

2 Answers2

5

To expand upon Simon's answer the iPhone requires that the subjectAltName of the VPN Server's certificate match either the hostname (it will check through dns) or the IP address of the server to which you're trying to connect. If this does not match you will get the "Could not validate server certificate" error. I was having this same problem and it took me hours to discover that extra proprietary bit.

Keener
  • 66
  • 1
  • 3
  • I haven't looked at this in months, but this sounds like it's probably the solution. – Ben Jencks Oct 19 '10 at 18:23
  • When you say 'it will check through dns'.. Does it require reverse dns to match the hostname? I am trying to do this with a dynamic ip from my ISP. – joet3ch May 11 '11 at 14:36
1

The "could not validate the server certificate" error is where the host name on the certificate being sent back to iPhone does not match what the VPN settings say on the iPhone

And yes, I have got it to work :-)

I haven't got around the issue where it all connects fine and then prompts for their AD username and password, but I will have resolved this later this afternoon

Cheers Si