none
TMG: IPSEC + IPAD

    Domanda

  • I have problem with connecting to my ipsec vpn on microsoft TMG.
    When i try connect (on ipsec with certificate) from windows xp and win7 to this vpn I dont have any problems.

    On My ipad I can only connect on L2tp with preshared key, but on ipsec with certificate still nothing.

    I try connecting on two certificates: on the same whot I have on pc, and on new only to ipad. On iphone configuration tool i install all certificates (CA root, CA sub, VPN on TMG, client cert with client authentication). In my cert i have external crl. I try to on certificate with additional SAN-s (VPN server FQDN and IP address)

    When I try connect on ipad to tmg ipsec vpn I found that error on logs:

    EventId: 4653

    An IPsec main mode negotiation failed.

    Local Endpoint:
        Local Principal Name:    -
        Network Address:    x.x.x.x
        Keying Module Port:    500

    Remote Endpoint:
        Principal Name:        -
        Network Address:    x.x.x.x
        Keying Module Port:    500

    Additional Information:
        Keying Module Name:    IKEv1
        Authentication Method:    Unknown authentication
        Role:            Responder
        Impersonation State:    Not enabled
        Main Mode Filter ID:    81468

    Failure Information:
        Failure Point:        Local computer
        Failure Reason:        Policy match error

        State:            No state
        Initiator Cookie:        125c19e98ad1d2fc
        Responder Cookie:    12c37763603c8b13

    So maybe any one can help me ? Whot I do wrong ?

    Thanks a lot.

    giovedì 21 giugno 2012 06:24

Tutte le risposte

  • Hi,

    Thank you for the post.

    As far as I know, iOS works with VPN servers  that support L2TP/IPSec with user authentication by MS-CHAPV2 Password, RSA SecurID or CryptoCard, and machine authentication by shared secret. It does not support certificate based authentication with this VPN type.

    Regards,


    Nick Gu - MSFT

    giovedì 21 giugno 2012 14:35
    Moderatore
  • Hello Nick - Thanks a lot for respond, 

    I found this: http://help.apple.com/iosdeployment-vpn/?lang=en-us#app36c9653d

    and apple say:

    Authentication methods

    iOS supports the following authentication methods:

    • Pre-shared key IPSec authentication with user authentication via xauth.

    • Client and server certificates for IPSec authentication, with optional userauthentication via xauth.

    and second link: http://support.apple.com/kb/HT1288

    iOS works with VPN servers that support the following protocols and authentication methods:

    • L2TP/IPSec with user authentication by MS-CHAPV2 Password, RSA SecurID or CryptoCard, and machine authentication by shared secret.
    • PPTP with user authentication by MS-CHAPV2 Password, RSA SecurID, or CRYPTOCard.
    • Cisco IPSec with user authentication by Password, RSA SecurID, or CRYPTOCard, and machine authentication by shared secret and certificates. Cisco IPSec supports VPN On Demand for domains you specify during device configuration.<sup>1</sup>

    So I have on iPAD IPSEC CISCO configuration:

    - domain user

    - client certificate


    • Modificato gator9 venerdì 22 giugno 2012 06:06
    venerdì 22 giugno 2012 05:58